Cryptographic method, systems and services for evaluating real-valued functions on encrypted data

ABSTRACT

The invention relates to a cryptographic method and variants thereof based on homomorphic encryption enabling the evaluation of real-valued functions on encrypted data, in order to allow carrying out homomorphic processing on encrypted data more broadly and efficiently.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is the U.S. National Phase of International ApplicationNo. PCT/FR2021/000049 filed May 14, 2021, which designated the U.S. andclaims priority to FR 2004772 filed May 14, 2020, the entire contents ofeach of which are hereby incorporated by reference.

FIELD OF THE INVENTION

The invention relates to improving the homomorphic evaluation of one ormore function(s) applied to data that are encrypted beforehand. Thistechnical field, based on recent cryptology works, potentially includesnumerous applications in all activity sectors where confidentialityconstraints exist (such as, not exclusively, those of privacyprotection, those of business secrets, or those of medical data).

More particularly, the invention relates to methods for enabling theautomated completion, by one or more specifically programmed computersystem(s), of the calculations necessary for the homomorphic evaluationof one or more function(s). Hence, it is necessary to take into accountthe limited storage and computation time capacities, or still – in thecase of a cloud computing type remote processing of the – transmissioncapacities that can be known by the information processing systems thatshould perform this type of evaluation.

As will be described hereinbelow, the development of homomorphicencryption methods has hitherto been greatly hindered by such technicalconstraints related to the processing capacities by computers andinherent to most of the schemes proposed by the literature, inparticular in terms of machine resources to be implemented andcomputation times to be supported in order to carry out the differentcomputation phases.

PRIOR ART

A fully homomorphic encryption scheme (Fully Homomorphic encryption,abbreviated as FHE) enables any participant to publicly transform a setof ciphertexts (corresponding to cleartexts x₁, ..., x_(p)) into aciphertext corresponding to a given function ƒ(x₁, ..., x_(p)) of thecleartexts, without this participant having access to the cleartextsthemselves. It is well known that such a scheme can be used to constructprotocols complying with private life (privacy preserving): a user canstore encrypted data on a server, and authorise a third-party to performoperations on the encrypted data, without having to reveal the datathemselves to the server.

The first fully homomorphic encryption scheme has been proposed only in2009 by Gentry (who has obtained the patent No. US8630422B2 at 2014 onthe basis of a first filing of 2009); also cf. [Craig Gentry, “Fullyhomomorphic encryption using ideal lattices”, in 41st Annual ACMSymposium on Theory of Computing, pages 169-178, ACM Press, 2009].Gentry’s construction is not used nowadays, but one of thefunctionalities that it has introduced, “bootstrapping”, and inparticular one of its implementations, is widely used in the schemesthat have been proposed subsequently. Bootstrapping is a technique usedto reduce the noise of the ciphertexts: indeed, in all known FHEschemes, the ciphertexts contain a small amount of random noise,necessary for security reasons. When operations are carried out on noisyciphertexts, the noise increases. After having evaluated a given numberof operations, this noise becomes too high and may jeopardise the resultof the calculations. Consequently, bootstrapping is fundamental for theconstruction of homomorphic encryption schemes, but this technique isvery expensive, whether in terms of used memory or computation time.

The works that have followed Gentry’s publication have aimed to providenew schemes and to improve bootstrapping in order to make thehomomorphic encryption feasible in practice. The most famousconstructions are DGHV [Marten van Dijk, Craig Gentry, Shai Halevi andVinod Vaikuntanathan, “Fully homomorphic encryption over the integers”,in Advances in Cryptology - EUROCRYPT 2010, volume 6110 of Lecture Notesin Computer Science, pp. 24-43, Springer, 2010], BGV [Zvika Brakerski,Craig Gentry, and Vinod Vaikuntanathan, “(Levelled) fully homomorphicencryption without bootstrapping”, in ITCS 2012; 3rd Innovations inTheoretical Computer Science, pages 309-325, ACM Press, 2012], GSW[Craig Gentry, Eds, Amit Sahai and Brent Waters, “Homomorphic encryptionfrom learning with errors: Conceptually simpler, asymptotically faster,Attribute-based”, in Advances in Cryptology-CRYPTO 2013, Part I, volume8042 of Lecture Notes in Computer Science, pp. 75-92, Springer, 2013]and variants thereof. While the execution of a bootstrapping in thefirst Gentry’s scheme has not been feasible in practice (one lifetimewould not have been sufficient to complete the calculations), theconstructions proposed successively have made this operation feasible,although not very practical (each bootstrapping lasting a few minutes).A faster bootstrapping, executed on a GSW type scheme, has been proposedin 2015 by Ducas and Micciancio [Leo Ducas and Daniele Micciancio,“FHEW: Bootstrapping homomorphic encryption in less than a second”, inAdvances in Cryptology - EUROCRYPT 2015, Part I, Volume 9056 of LectureNotes in Computer Science, pages 617-640, Springer, 2015]: thebootstrapping operation is carried out in a little more than a halfsecond. In 2016, Chillotti, Gama, Georgiava and Izabachene proposed anew variant of the FHE scheme, called TFHE [IIaria Chillotti, NicolasGama, Mariya Georgieva and Malika Izabachène, “Faster fully homomorphicencryption: Bootstrapping in less than 0.1 seconds”, in Advances inCryptology - ASIACRYPT 2016, Part I, volume 10031 of Lecture Notes inComputer Science, pages 3-33, Springer, 2016]. Their bootstrappingtechnique has served as a basis in subsequent works. Mention may be madeto the work of Bourse et al. [Florian Bourse, Micheles Minelli, MatthiasMinihold and Pascal Paillier, “Fast homomorphic evaluation of deepdiscretised neural networks”, in Advances in Cryptology - CRYPTO 2018,Part III, volume 10993 of Lecture Notes in Computer Science, pages483-512, Springer, 2018], Carpov et al. [Sergiu Carpov, MalikaIzabachène and Victor Mollimard, “New techniques for multi-value inputhomomorphic evaluation and applications”, in Topics in Cryptology -CT-RSA 2019, volume 11405 of Lecture Notes in Computer Science, pages106-126, Springer, 2019], Boura et al. [Christina Boura, Nicolas Gama,Mariya Georgieva and Dimitar Jetchev, “Simulating homomorphic evaluationof deep learning predictions”, in Cyber Security Cryptography andMachine Learning (CSCML 2019), volume 11527 of Lecture Notes in ComputerScience, pages 212-230, Springer, 2019] and Chillotti et al. [IlariaChillotti, Nicolas Gama, Mariya Georgieva and Malika Izabachène, “TFHE:Fast fully homomorphic encryption over the torus”, Journal ofCryptology, 31(1), pp. 34-91, 2020]. The TFHE performances areremarkable. They have contributed to the progress of research in thefield and in making the homomorphic encryption more practical. Theproposed new techniques have made it possible to calculate abootstrapping in a few milliseconds.

Technical Problem

Despite the accomplished progress, the known calculation proceduresallowing publicly transforming a set of ciphertexts (corresponding tocleartexts x₁, ..., x_(p)) into a ciphertext corresponding to a givenfunction ƒ(x₁, ..., x_(p)) of the cleartexts, remain for the time beinglimited to some instances or remain impractical. Indeed, the maincurrent generic means consists in representing this function in the formof a Boolean circuit - composed of logic gates of the AND, NOT, OR orXOR type, then in homomorphically evaluating this circuit, with as inputthe ciphertexts of the bits representing the inputs (in clear) of thefunction f. A measurement of the complexity of the Boolean circuit isits multiplicative depth, defined as the maximum number of successiveAND gates that should be calculated to obtain the result of thecalculation. For the noise to remain controlled during this calculation,it is necessary to regularly perform bootstrapping operations during theprogress thereof. As indicated hereinabove, even with the most recenttechniques, these bootstrapping operations involve complex calculationsand make the entire calculation even slower as the multiplicative depthis great. This approach is viable only for functions operating on binaryinputs and having a simple Boolean circuit.

In general, the function to be evaluated takes as input one or morereal-valued variable(s) x₁, ..., x_(p). There may even be severalfunctions ƒ₁, ..., ƒ_(q) to be evaluated on a set of real-valuedvariables. Hence, there is a major technical and economic interest infinding a method allowing carrying out rapidly and without mobilisingexcessively large computing means, the aforementioned operation ofpublicly transforming a set of ciphertexts (corresponding to cleartextsx₁, ..., x_(p)) into a set of ciphertexts corresponding to a pluralityof real-valued functions ƒ₁, ..., ƒ_(q) of the cleartexts. Indeed, todate, the theoretical advances made by Gentry in 2009 have not knownactual concretizations, due to the absence of effective solutions forthis technical problem. It is to this problem that the present inventionprovides a response.

Subject of the Invention

The present application describes a set of methods intended to beexecuted in a digital form by at least one information processing systemspecifically programmed to effectively and publicly transform a set ofciphertexts (corresponding to cleartexts x₁, ..., x_(p)) into a set ofciphertexts corresponding to a plurality of functions ƒ₁, ..., ƒ_(q) ofthe cleartexts. This new method transforms the multivariate functionsƒ₁, ..., ƒ_(q) into a form combining sums and compositions ofmultivariate functions. Preferably, the intermediate values resultingfrom the transformation of the functions ƒ₁, ..., ƒ_(q) are reused inthe evaluation. Finally, each of the univariate functions is preferablyrepresented in the form of tables - and not according to the usualrepresentation in the form of a Boolean circuit.

Remarkably, any multivariate function defined on reals and with a realvalue is supported. The entries undergo prior encoding in order toensure compatibility with the native space of the messages of theunderlying encryption algorithm. Decoding can also be applied at theoutput, after decryption, to the image of the considered function.

The technical effect of this invention is significant since thetechniques that it implements, considered independently or incombination, will allow carrying out an evaluation of the results of aplurality of functions ƒ₁, ..., ƒ_(q) applied to encrypted data whileconsiderably reducing the complexity and the necessary computationtimes. As described hereinbelow, this lightening results in particularfrom the fact (i) that the multivariate functions to be evaluated aretransformed into univariate functions rather than working directly onfunctions of several variables, (ii) that these functions can bedecomposed so as to share results of intermediate calculations ratherthan perform separate evaluations, and (iii) that the resultingunivariate functions are represented by tables rather than by a Booleancircuit.

When a function ƒ has several variables x₁, ..., x_(p), a methodaccording to the invention is to transform the function ƒ as acombination of sums and compositions of univariate functions. It shouldbe noted that these two operations, the sum and the composition ofunivariate functions, allow expressing affine transformations or elselinear combinations. By analogy with neural networks, the expression“network of univariate functions” is used to refer to the representationupon completion of the transformation from multivariate to univariatecombining sums and compositions of univariate functions, which networkwill be homomorphically evaluated on a plurality of encrypted values.Said transformation may be exact or approximate; nonetheless, it shouldbe noted that an exact transformation is an error-free approximatetransformation. In practice, the networks thus obtained have thecharacteristic of having a low depth in comparison with the Booleancircuits implementing the same functionality. This new representation ofthe function ƒ is then used to evaluate it on the encrypted inputsE(encode(x₁)), ..., E(encode(x_(p))) where E refers to an encryptionalgorithm and encode an encoding function, which will allow ending up incalculations of the type E(encode(g_(j)(z_(k)))) for some univariatefunctions g_(j), starting from an input of the type E(encode(z_(k)))where z_(k) is an intermediate result. These calculations exploit thehomomorphic property of the encryption algorithm.

When the same network of univariate functions is reused several times,it is interesting not to have to re-do all the calculation phases. Thus,according to the invention, a first step consists in pre-calculatingsaid network of univariate functions; it is then homomorphicallyevaluated on data encrypted in a subsequent step.

The fact that any continuous multivariate function can be written assums and compositions of univariate functions has been demonstrated byKolmogorov in 1957, [Arey N. Kolmogorov, “On the representation ofcontinuous functions of dynamic variables by superposition of continuousfunctions of one variable and addition”, Dokl. Akad. Nauk SSSR, 114, pp.953-956, 1957].

This result has remained theoretical for a long time, but algorithmicversions have been found, in particular by Sprecher, who proposed analgorithm in which he explicitly describes the method for constructingthe univariate functions [David A. Sprecher, “On the structure ofcontinuous functions of several variables”, Transactions of the AmericanMathematical Society, 115, pp. 340-355, 1965]. A detailed descriptionthereof can be found for example in the article [Pierre-Emmanuel Leni,Yohan Fougerolle and Frederic Truchetet, “Komogorov superposition theoryand its application to the decomposition of multivariate functions”, inMajecSTIC ‘08, 29-31 Oct. 2008, Marseille, France, 2008]. Moreover, itshould be noticed that the assumption of continuity of the function tobe decomposed can be relaxed by considering an approximation of thelatter.

Another possible approach consists in approximating the multivariatefunction by a sum of particular multivariate functions called ridgefunctions [B. F. Logan and L. A. Shepp, “Optimal reconstruction of afunction from its projections”, Duke Mathematical Journal, 42(4), pp.645-659, 1975] according to the English terminology. A ridge function ofa real-valued variable vector x = (x₁, ..., x_(p)) is a function appliedto the scalar product of this variable vector with a real parametervector a = (a₁, ..., a_(p)), i.e. a function of the type g_(a)(x) = g(a· x) where g is univariate. As noted hereinabove, a scalar product orequivalently a linear combination is a particular case of a combinationof sums and compositions of univariate functions; the decomposition of amultivariate function in the form of a sum of ridge functions forms anembodiment of a transformation from multivariate into univariateaccording to the invention. It is known that any multivariate functioncan be approximated with as great accuracy as is desired by a sum ofridge functions if it is possible to increase the number thereof [AllanPinkus, “Approximating by ridge functions”, in A. Le Mehaute, C. Rabutand L. L. Schumaker (Eds.), Surface Fitting and Multiresolution Methods,pages 279-292, Vanderbilt University Press, 1997]. These mathematicalresults have given rise to a statistical optimization method known underthe name of projection pursuit [Jerome H. Friedman and Werner Stuetzle,“Projection pursuit regression”, Journal of the American StatisticalAssociation, 76(376), pp. 817-823, 1981].

The use of so-called radial functions of the g_(a)(x) = g(|| x - a ||)type instead of the ridge functions is also a possibility [D. S.Broomhead and David Lowe, “Multivariable functional interpolation andadaptive networks”, Complex Systems, 2, pp. 321-355, 1988], and otherfamilies of basic functions can be used with a similar approximationquality (convergence rate). In some cases, formal decomposition ispossible, without going through Kolmogorov theorem or one of itsalgorithmic versions (such as that of Sprecher), or through ridge,radial functions, or variants thereof. For example, the function g(z₁,z₂) = max(z₁, z₂) (which serves in particular as the so-called “maxpooling” layers used by neural networks) can thus be decomposed: max(z₁,z₂) = z₂ + (z₁ - z₂)⁺ where z ↦ z⁺ corresponds to the univariatefunction z ↦ max(z, 0).

Given the data of the functions ƒ₁, ..., ƒ_(q), when each of these isrepresented by a network of univariate functions, which is then intendedto be homomorphically evaluated on encrypted data, this evaluation canbe performed in an optimised manner when all or part of one or more ofthese univariate functions is reused. Thus, for each of the redundanciesobserved in the set of univariate functions of said network, some of theprocedures of homomorphic evaluation of univariate function on anencrypted value will have to be performed only once. Knowing that thisfunction homomorphic evaluation is typically done on the fly and greatlyburdens the processing speed, sharing the intermediate values gives riseto very significant performance gains.

Three types of possible optimizations are considered:

Same Function, Same Argument

With an equal number of univariate functions, this optimization consistsin preferring the networks of univariate functions repeating a maximumof times the same univariate functions applied to the same arguments.Indeed, whenever the univariate function and the input on which it isevaluated are the same, the homomorphic evaluation of this univariatefunction on this input does not need to be recalculated.

Different Function, Same Argument

This optimization applies when the homomorphic evaluation of two or moreunivariate functions on the same input can be done essentially at thecost of a single homomorphic evaluation, an embodiment allowing sharinga large part of the computation. A similar situation has been consideredin the aforementioned article of CT-RSA 2019 under the name ofmulti-output version. An example of such an embodiment is presented inthe section “Detailed description of the invention”. In the multivariatecase, this situation appears for example in the decomposition of severalmultivariate functions in the form of a sum of ridge functions or radialfunctions when the coefficients (a_(ik)) of the decompositions arefixed.

Same Function, Arguments Differing by a Non-Zero Additive Constant

Another situation that allows accelerating the calculations is when thesame univariate function is evaluated on arguments whose difference isknown. This happens for example when a Kolmogorov-type decomposition isused, in particular the approximate algorithmic version of Sprecher. Inthis situation, the decomposition involves so-called “internal”univariate functions; cf. in particular the application to the internalfunction Ψ in the “Detailed description of the invention” section. Theextra cost in the latter case is minimal.

These optimizations apply when several functions ƒ₁, ..., ƒ_(q) shouldbe evaluated, but they also apply in the case of a single function to beevaluated (q = 1). In all cases, it is interesting to produce networksof univariate functions having not only a reduced number of univariatefunctions but also to prefer different functions yet on the samearguments or the same functions on arguments differing by an additiveconstant, in order to reduce the cost of evaluation thereof. This natureis specific to networks of univariate functions when these arehomomorphically evaluated on encrypted inputs.

Whether the functions subjected to the evaluation according to theinvention are multivariate and have formed undergone the first stepspresented hereinabove, or it is intended to process the nativelyunivariate functions, the invention provides for carrying out thehomomorphic evaluation of these univariate functions, and in anadvantageous variant to use for this purpose a representation in theform of tables.

The homomorphic evaluation of a univariate function, or more generallyof a combination of univariate functions, is based on homomorphicencryption schemes.

Introduced by Regev in 2005 [Oded Regev, “On lattices, learning witherrors, random linear codes, and cryptography”, in 37th Annual ACMSymposium on Theory of Computing, pages 84-93, ACM Press, 2005], the LWE(standing for Learning With Errors) problem enables the construction ofhomomorphic encryption schemes on numerous algebraic structures.Usually, an encryption scheme includes an encryption algorithmε and adecryption algorithm D such that if c = ε(µ) is the encryption of acleartext µ then D(c) returns the cleartext µ. The encryption algorithmsderived from the LWE problem and from its variants have theparticularity of introducing noise in the ciphertexts. This is callednative space of cleartexts to indicate the space of cleartexts on whichthe encryption algorithm is defined and for which the decryption of aciphertext results in the initial cleartext, with the consideration ofsome noise. It should be recalled that for an encryption algorithm εhaving M as a native space of cleartexts, an encoding function encode isa function that brings an element of an arbitrary set in the set M or ina subset thereof; preferably, this function is injective.

Applied to the torus

  =  ℝ/ℤ

of reals modulo 1, as detailed in the aforementioned article ofChillotti et al. (ASIACRYPT 2016), such a scheme is defined as follows.For a positive integer n, the encryption key is a vector (s₁, ...,s_(n)) of {0,1}^(n); the native space of the cleartexts is

ℳ  =   

. The LWE ciphertext of an element µ of the torus is the vector c = (a₁,..., a_(n), b) of

n + 1

where, for 1 ≤ j ≤ n,a_(j) is a random element of

and where

$b = \sum_{j = 1}^{n}s_{j} \cdot a_{j} + \mu + \, e$

(mod 1) with e a low noise according to a random error distribution overℝ centred on 0. Starting from the ciphertext c = (a₁, ..., a_(n), b),the knowledge of the key (s₁, ..., s_(n)) allows finding

$\mu + e = b - \sum_{j = 1}^{n}s_{j} \cdot a_{j}$

(mod 1) as an element of

. It should be recalled that two elements of the torus can be added buttheir internal product is not defined. The notation “•” indicates theexternal product between an integer and an element of the torus.

In the same article, the authors also describe a scheme based on theℤ_(N)[X] -module

N [ X ]     =     ℝ N [ X ] / ℤ N [ X ]

where ℝ_(N)[X] and ℤ_(N)[X] are respectively the polynomial ringsℝ_(N)[X] = ℝ[X]/(X^(N) + 1) and ℤ_(N)[X] = ℤ[X]/(X^(N) + 1). Forstrictly positive integers N and k, the encryption key is a vector (s₁,..., s_(k)) of B_(N)[X]^(k) with B_(N)[X] = B[X]/(X^(N) + 1) where B ={0,1} ; the native space of cleartexts is

M     =     N [ X ]

. The RLWE ciphertext of a polynomial µ of

N [ X ]

is the vector c = (a₁,...,a_(k),b) of

N [ X ] k + 1

where, for 1 ≤ j ≤ k, a_(j) is a random polynomial of T_(N)[X] and where

$b = \sum_{j = 1}^{k}s_{j} \cdot a_{j} + \mu + e( {\text{in}\mathbb{T}_{N}\lbrack X\rbrack,} )$

i.e. modulo (X^(N) + 1,1)) with e a low noise according to a randomerror distribution over ℝ_(N)[X]. Starting from the ciphertext c = (a₁,..., a_(k), b), the knowledge of the key (s₁, ..., s_(k)) allows finding

$\mu + e = b - \sum_{j = 1}^{k}s_{j} \cdot a_{j}( {\text{in}\mathbb{T}_{N}\lbrack X\rbrack} )S$

s an element of

N [ X ]

. The notation “•” herein indicates the external product on

N [ X ]

The “R” in RLWE refers to the word ring. These variants of the LWEproblem have been suggested in [Damien Stehle, Ron Steinfeld, KeisukeTanaka and Keita Xagawa, “Efficient public key encryption based on ideallattices”, in Advances in Cryptology - ASIACRYPT 2009, volume 5912 ofLecture Notes in Computer Science, pages 617-635, Springer, 2009] and[Vadim Lyubashevsky, Chris Peikert and Oded Regev, “On ideal latticesand learning with errors over rings”, in Advances in Cryptology -EUROCRYPT 2010, volume 6110 of Lecture Notes in Computer Science, pages1-23, Springer, 2010.]

Finally, this same article of ASIACRYPT 2016 introduces the externalproduct between a RLWE-type ciphertext and a RGSW-type ciphertext(standing for Gentry-Sahai-Waters and ‘R’ refers to ring). It should berecalled that a RLWE-type encryption algorithm gives rise to a RGSW-typeencryption algorithm. The notations of the previous paragraph are used.For an integer ℓ ≥ 1, Z denotes a matrix with (k + 1)ℓ rows and k + 1columns in

N [ X ]

each row of which is a RLWE-type encryption of the polynomial 0. TheRGSW ciphertext of a polynomial σ of ℤ_(N)[X] is then given by thematrix C = Z + σ · G where G is a so-called “gadget” matrix defined in

N [ X ]

(having (k + 1)ℓ rows and k + 1 columns) and given by G = g^(T) ⊗I_(k+1) = diag(g^(T), ...,g^(T)) where g = (1/B, ...,1/B^(ℓ)) andI_(k+1) is the k + 1-size identity matrix, for a given base B ≥ 2. Tothis widget is associated a transformation denoted

G − 1 : N [ X ] k + 1 → ℤ N [ X ] ( k + 1 ) l

such that for every vector (row) v of the polynomial in

N [ X ] k + 1

we have G⁻¹(v) · G ≈ v and G⁻¹(v) is small. The external product of theRGSW-type ciphertext C (of the polynomial σ ∈ ℤ_(N)[X]) by a RLWE-typeciphertext c (of the polynomial

μ ∈ N [ X ]

), denoted

C ⊡ c

, is defined as

C ⊡ c = G − 1 ( c ) ⋅ C ∈ N [ X ] k − 1

. The ciphertext thus obtained

C ⊡ c

is a RLWE-type ciphertext of the polynomial

σ ⋅ μ ∈ N [ X ]

. The proofs are given in the aforementioned article of ASIACRYPT 2016.

As shown, the preceding schemes are so-called symmetric or private-keyencryption schemes. This is in no way a limitation because, as shown byRothblum in [Ron Rothblum, “Homomorphic encryption: From private-key topublic-key”, in Theory of Cryptography (TCC 2011), volume 6597 ofLecture Notes in Computer Science, pages 219-234, Springer, 2011], anyadditively homomorphic private-key encryption scheme can be convertedinto a public-key encryption scheme.

As recalled hereinabove, bootstrapping refers to a method allowingreducing any possible noise present in the ciphertexts. In hisaforementioned STOC 2009 founding article, Gentry implementsbootstrapping by the technique commonly referred to nowadays as“re-encryption”, introduced thereby. Re-encryption consists inhomomorphically evaluating a decryption algorithm in the encrypteddomain. In the clear domain, the decryption algorithm takes as input aciphertext C and a private key K, and returns the correspondingcleartext x. In the encrypted domain, with a homomorphic encryptionalgorithm E and an encoding function encode, the evaluation of saiddecryption algorithm takes as input a ciphertext of the encryption of Cand a ciphertext of the encryption of K, E(encode(C)) and E(encode(K)),and therefore gives a new a ciphertext of the encryption of the samecleartext, E(encode(x)), under the encryption key of the algorithm E.Consequently, assuming that a ciphertext is given as the output of ahomomorphic encryption algorithm E does not form a limitation becausethe re-encryption technique allows ending up in this case.

The homomorphic nature of the LWE-type encryption schemes and theirvariants allows manipulating the cleartexts by operating on thecorresponding ciphertexts. The domain of definition of a univariatefunction ƒ to be evaluated is discretised into several intervalscovering its domain of definition. Each interval is represented by avalue x_(i) as well as by the corresponding value of the functionƒ(x_(i)). Thus, the function ƒ is tabulated by a series of pairs in theform (x_(i), ƒ(x_(i))). These pairs are actually used to homomorphicallycalculate a ciphertext of ƒ(x), or an approximate value, starting from aciphertext of x, for an arbitrary value of x in the domain of definitionof the function.

In the invention, at the core of this homomorphic calculation is a newgeneric technique, combining bootstrappings and encodings. Severalembodiments are described in the “Detailed description of the invention”section.

The homomorphic assessment technique described in the aforementionedfrom ASIACRYPT 2016 article as well as those introduced in theaforementioned subsequent works do not enable the homomorphic evaluationof an arbitrary function, over an arbitrary domain of definition. Firstof all, these are strictly limited to univariate-type functions. Theprior art has no known responses in the multivariate case. In addition,in the univariate case, the prior art assumes conditions on the inputvalues or on the function to be evaluated. Among these limitations, notefor example inputs limited to binary values (bits) or the requirednegacyclic nature of the function to be evaluated (verified for exampleby the “sign” function on the torus). No generic processing of the inputor output values allowing ending up in these particular cases isdescribed in the prior art for functions with an arbitrary real value.

Conversely, the implementation of the invention — while enabling thecontrol of the noise at the output (boosting) — enables the homomorphicevaluation of functions with real-valued variables on inputs which areLWE-type ciphertexts of reals, regardless of the form of the functionsor their domain of definition.

DETAILED DESCRIPTION OF THE INVENTION

The invention allows carrying out, digitally by at least onespecifically programmed information processing system, the evaluation,on encrypted data, of one or more function(s) with one or more variableswith real value ƒ₁, ..., ƒ_(q), each of the functions taking as input aplurality of real-valued variables from among the real-valued variablesx₁, ..., x_(p).

When at least one of said functions takes as input at least twovariables, a method according to the invention schematically comprisesthree steps:

-   1. a so-called pre-calculation step consisting in transforming each    of said multivariate functions into a network of univariate    functions, composed of sums and compositions of univariate functions    with real value,-   2. a so-called pre-selection step consisting in identifying, in said    pre-calculated univariate function networks, redundancies of    different types and in selecting all or part of them,-   3. a so-called step of homomorphic evaluation of each of the    pre-calculated networks of univariate functions, in which the    redundancies selected in the pre-selection step are evaluated in an    optimised manner.

As regards the second step (pre-selection), the selection of all or partof the redundancies is primarily yet not exclusively guided by theobjective of optimising the digital processing of the homomorphicevaluation, whether gain in terms of computation time or foravailability reasons such as memory resources for storing intermediatecomputation values.

[FIG. 1 ] schematically replicates the first two steps as they areimplemented according to the invention by a computer system programmedto this end.

Thus, in one of the embodiments of the invention, the evaluation of oneor more multivariate functions with real value ƒ₁, ..., f_(q), each ofthe functions taking as input a plurality of real-valued variables fromamong the variables x₁, ..., x_(p), and at least one of said functionstaking as input at least two variables, taking as input the ciphertextsof the encryptions of each of the inputs x_(i), E(encode(x_(i))) with 1≤ i ≤ p, and returning the plurality of ciphertexts of the encryptionsof ƒ₁, ..., ƒ_(q) applied to their respective inputs, where E is ahomomorphic encryption algorithm and encode is an encoding function thatassociates to each of the reals x_(i) an element of the native space ofthe cleartexts of E, may be characterised by:

-   1. a pre-calculation step consisting in transforming each of said    multivariate functions into a network of univariate functions,    composed of sums and compositions of univariate functions with real    value,-   2. a pre-selection step consisting in identifying in said networks    of pre-calculated univariate functions the redundancies of one of    the three types    -   a. the same univariate functions applied to the same arguments,    -   b. different univariate functions applied to the same arguments,    -   c. the same univariate functions applied to arguments differing        by a non-zero additive constant, and selecting all or part        thereof,-   3. a step of homomorphic evaluation of each of the pre-calculated    networks of univariate functions, in which the redundancies selected    in the pre-selection step are evaluated in an optimised manner.

As regards the pre-calculation step, an explicit version of Kolmogorovsuperposition theorem allows confirming that any continuous function f:I^(p) → ℝ, defined on the identity hypercube I^(p) = [0,1]^(p) with thedimension p, can be written as sums and compositions of univariatecontinuous functions:

$f( {x_{1},\ldots,x_{p}} ) = {\sum\limits_{k = 0}^{2 p}{g_{k}( {\xi( {x_{1} + ka,\ldots,x_{p} + ka} )} )}}$

with

$\xi( {x_{1} + ka,\ldots,x_{p} + ka} ) = {\sum\limits_{i = 1}^{p}{\lambda_{i}\Psi( {x_{i} + ka} )}}$

where, with a given number p of variables, the λ_(i) and a areconstants, and ψ is a continuous function. In other words

$f( {x_{1},\ldots,x_{p}} ) = {\sum\limits_{k = 0}^{2p}{g_{k}( {\sum\limits_{i = 1}^{p}{\lambda_{i}\Psi( {x_{i} + ka} )}} )}}\mspace{6mu}.$

As example, [FIG. 2 ] illustrates the case p = 2.

The functions ψ and f are so-called “internal” and are independent of ƒfor a given arity. The function ψ associates, to any component x_(i) ofthe real vector (x₁, ..., x_(p)) of I^(p), a value in [0,1]. Thefunction f allows associating, to each vector (x₁, ..., x_(p)) ∈ I^(p)the numbers

z_(k)=

$\sum_{i = 1}^{p}\lambda_{i}\Psi( {x_{i} + ka} )$

in the interval [0,1] which will then serve as arguments to thefunctions g_(k) to rebuild the function ƒ by summing. It should be notedthat the restriction of the domain of ƒ to the hypercube I^(p) inKolmogorov theorem is usually done in the scientific literature tosimplify explanation thereof. However, it is obvious that this theoremnaturally extends to any parallelepiped with a dimension p by homothety.

Sprecher proposed an algorithm for the determination of internal andexternal functions in [David A. Sprecher, “A numerical implementation ofKolmogorov’s superpositions”, Neural Networks, 9(5), pp. 765-772, 1996]and [David A. Sprecher, “A numerical implementation of Kolmogorov’ssuperpositions II”, Neural Networks, 10(3), pp. 447-457, 1997],respectively.

Instead of the function Ψ initially defined by Sprecher to build f(which is discontinuous for some input values), it is possible to usethe function Ψ defined in [Jürgen Braun and Michael Griebel, “On aconstructive proof of Kolmogorov’s superposition theorem”, ConstructiveApproximation, 30(3), pp. 653-675, 2007].

Once the internal functions ψ and f have been fixed, it remains todetermine the external functions g_(k) (which depend on the function ƒ).For this purpose, Sprecher proposes the construction - for each k, 0 ≤ k≤ 2p— of r functions

g_(k)^(r)

whose sum converges towards the external function g_(k). At the end ofr^(-th) step, the result of the approximation of ƒ is given in thefollowing form:

$f( {x_{1},\ldots,x_{p}} ) \approx {\sum\limits_{k = 0}^{K}{\sum\limits_{j = 1}^{r}{g_{k}^{j} \circ \xi( {x_{1} + ka,\ldots,x_{p} + ka} )}}}\mspace{6mu},$

where K is a parameter such that K ≥ 2p. Thus, the algorithm provides anapproximate result with respect to that of Kolmogorov decompositiontheorem. Indeed, by taking r quite great, and by assuming

$g_{k} = \sum_{j = 1}^{r}g_{k}^{j},$

the next approximate representation for the function ƒ is obtained:

$f( {x_{1},\ldots,x_{p}} ) \approx {\sum\limits_{k = 0}^{K}{g_{k} \circ \xi( {x_{1} + ka,\ldots,x_{p} + ka} )}}\mspace{6mu},$

or still

$f( {x_{1},\ldots,x_{p}} ) \approx {\sum\limits_{k = 0}^{K}{g_{k}( {\sum\limits_{i = 1}^{p}{\lambda_{i}\Psi( {x_{i} + ka} )}} )}}\mspace{6mu}.$

Thus, in one of the embodiments of the invention, the pre-calculationphase may be characterised in that for at least one function ƒ_(j) fromamong ƒ₁, ..., ƒ_(q), the transformation of the pre-calculation step isan approximate transformation in the form

f_(j)(x_(j₁), …, x_(j_(t)))≈

$\sum_{k = 0}^{K}g_{k}( {\sum_{i = 1}^{t}\lambda_{j_{i}}\Psi( {x_{j_{i}} + ka} )} )$

with t ≤ p and j₁, ..., j_(t) ∈ {1, ..., p}, and where Ψ is a univariatefunction defined on reals and with real value, where the λ_(ji) are realconstants and where the g_(k) are univariate functions defined on realsand with real value, said functions g_(k) being determined as a functionof ƒ_(j), for a given parameter K.

Another technique for decomposing a multivariate function ƒ(x₁, ...,x_(p)) consists in approximating it with a sum of so-called ridgefunctions, according to the transform

$f( {x_{1},\ldots,x_{p}} ) \approx {\sum\limits_{k = 0}^{K}{g_{k}( {\sum\limits_{i = 1}^{p}{a_{i,k}\mspace{6mu} x_{i}}} )}}\mspace{6mu},$

where the coefficients a_(i,k) are real numbers and where the g_(k) areunivariate functions defined on the reals and with real value, saidfunctions g_(k) and said coefficients a_(i,k) being determined as afunction of ƒ_(j), for a given parameter K.

The decomposition is then approximate in the general case, and aims toidentify the best approximation, or an approximation with enoughquality. This approximation appears in the literature devoted tostatistical optimisation as projection pursuit. As mentioned before, anoticeable result is that any function ƒ can be approximated in thismanner with arbitrarily high accuracy. In practice, however, it iscommon that ƒ admits an exact decomposition, i.e. it is expressedanalytically in the form of a sum of ridge functions for all or part ofits inputs.

When a function ƒ_(j) takes as input a subset of t variables of {x₁,..., x_(p)} with t ≤ p, if these variables are denoted with j₁, ...,j_(t) ∈ {1, ..., p}, then the previous ridge decomposition is written

$f( {x_{j_{1}},\ldots,x_{j_{t}}} ) \approx {\sum\limits_{k = 0}^{K}{g_{k}( {\sum\limits_{i = 1}^{t}{a_{i,k}\mspace{6mu} x_{j_{i}}}} )}}$

with for functions g_(k) and coefficients a_(i,k) determined as afunction of ƒ_(j), for a given parameter K.

Thus, in one of the embodiments of the invention, the pre-calculationphase may be characterised in that, for at least one function ƒ_(j) fromamong ƒ₁, ..., ƒ_(q), the transformation of the pre-calculation step isan approximate transformation in the form

f_(j)(x_(j₁), …, x_(j_(t)))≈

$\sum_{k = 0}^{K}g_{k}( {\sum_{i = 1}^{t}a_{i,k}\mspace{6mu} x_{j_{i}}} )$

with t ≤ p and j₁, ..., j_(t) ∈ {1, ..., p}, and where the coefficientsa_(i,k) are real numbers and where the g_(k) are univariate functionsdefined on the reals and with real value, said functions g_(k) and saidcoefficients a_(i,k) being determined as a function of ƒ_(j), for agiven parameter K.

A similar decomposition technique, using the same statisticaloptimisation tools, applies by taking the radial functions rather thanthe ridge functions, according to

$f( {x_{1},\ldots,x_{p}} ) \approx {\sum\limits_{k = 0}^{K}{g_{k}( \| {\text{x} - \text{a}_{\text{k}}} \| )}}$

with x = (x₁, ..., x_(p)), a_(k) = (a_(1,k), ..., a_(p,k)) and where thevectors a_(k) have as coefficients a_(i,k) real numbers and where theg_(k) are univariate functions defined on the reals and with real value,said functions g_(k) and said coefficients a_(i,k) being determined as afunction of ƒ, for a given parameter K and a given norm ||•||. Usually,the Euclidean norm is used.

When a function ƒ_(j) takes as input a subset oft variables of {x₁, ...,x_(p)} with t ≤ p, if one denotes these variables with j₁, ..., j_(t) ∈{1, ..., p}, then the previous decomposition is written

$f_{j}( {x_{j_{1}},\ldots,x_{j_{t}}} ) \approx {\sum\limits_{k = 0}^{K}{g_{k}( \| {\text{x} - \text{a}_{\text{k}}} \| )}}$

with and a_(k) = (a_(1,k), ..., a_(t,k)), for functions g_(k) andcoefficients a_(i,k) determined as a function of ƒ_(j), for a givenparameter K.

Thus, in one of the embodiments of the invention, the pre-calculationphase may be characterised in that for at least one function ƒ_(j) fromamong ƒ₁, ..., ƒ_(q), the transformation of the pre-calculation step isan approximate transformation in the form

$f_{j}( {x_{j_{1}},\ldots,x_{j_{t}}} ) \approx \sum_{k = 0}^{K}g_{k}( {||} )(  \text{x} - \text{a}_{\text{k}}\mspace{2mu} \middle| | )$

with a_(k) = (a_(1,k), ..., a_(t,k)), t ≤ p and j₁, ..., j_(t) E {1,..., p}, and where the vectors a_(k) have as coefficients a_(i,k) realnumbers and where the g_(k) are univariate functions defined on thereals and with a real value, said functions g_(k) and said coefficientsa_(i,k) being determined as a function of ƒ_(j), for a given parameter Kand a given norm ||•||.

As indicated in the aforementioned Pinkus’s article, another importantclass of decomposition of functions is when the coefficients a_(i,k) arefixed, the functions g_(k) are the variables. This class applies todecomposition both in the form of ridge functions and in the form ofradial functions. Several methods are known for solving this problem,under the name: Von Neumann algorithm, cyclic coordinate algorithm,Schwarz domain decomposition method, Diliberto-Straus algorithm, as wellas variants that are found in the literature dedicated to tomography;cf. this same Pinkus’s article and the references therein.

Thus, in one of the particular embodiments of the invention, thispre-calculation phase is further characterised in that the coefficientsa_(i,k) are fixed.

In some cases, the transformation of the pre-calculation step may beperformed exactly by means of an equivalent formal representation ofmultivariate functions.

Consider g a multivariate function. If this function g calculates themaximum of z₁ and z₂, g(z₁,z₂) = max(z₁, z₂), it can use the formalequivalence max(z₁,z₂) = z₂ + (z₁ - z₂)⁺, where z ↦ z⁺ corresponds tothe univariate function z ↦ max(z, 0). The use of this formalequivalence allows easily obtaining other formal equivalences for thefunction max(z₁, z₂). As example, since (z₁ - z₂)⁺ can be expressed inan equivalent manner as

$( {z_{1} - z_{2}} )^{+} = \frac{1}{2}( {z_{1} -} )( z_{2} ) + \frac{1}{2}| {z_{1} - z_{2}} |,$

the formal equivalence max(z₁, z₂) = (z₁ + z₂ + |z₁ - z₂ |)/2 isobtained where z ↦ |z| is the univariate function “absolute value” andwhere z ↦ z/2 is the univariate function “division by 2”

In general, for three variables or more z₁, ..., z_(m), given that

$\begin{array}{l}{\max( {z_{1},\ldots,z_{i},z_{i + 1},\ldots,z_{m}} ) = \max( {\max( {z_{1},\ldots,z_{i}} ),} )} \\( {\max( {z_{i + 1},\ldots,z_{m}} )} )\end{array}$

for any i meeting 1 ≤ i ≤ m - 1, max(z₁, ..., z_(m)) is thus obtainediteratively as a combination of sums and functions | · | (absolutevalue) or (·)⁺.

Thus, in one of the embodiments of the invention, the pre-calculationphase may be characterised in that the transformation of thispre-calculation step uses the formal equivalence max(z₁,z₂) = z₂ + (z₁ -z₂)⁺ to express the function (z₁,z₂) ↦ max(z₁,z₂) as a combination ofsums and compositions of univariate functions.

In a particular embodiment of the invention, this pre-calculation phaseis further characterised in that the formal equivalence is obtained fromthe iteration of the formal equivalence for two variables, for saidfunction when the latter includes three variables or more.

Similarly, for the “minimum” function, g(z₁,z₂) = min(z₁,z₂), it ispossible to use the formal equivalence min(z₁,z₂) = z₂ + (z₁ - z₂)⁻where z ↦ z⁻ = min(z,0), or else min(z₁,z₂) = (z₁ + z₂ - |z₁ - z₂|)/2because

$( {z_{1} - z_{2}} )^{-} = \frac{1}{2}( {z_{1} - z_{2}} ) - \frac{1}{2}| {z_{1} - z_{2}} |,$

which, by iterating, generally allows formally decomposing the m-variatefunction min(z₁,...,z_(m)) as a combination of sums and univariatefunctions, by observing that min(z₁, ..., _(Zi), z_(i+1), ..., z_(m)) =min(min(z₁, ..., z_(i)), min(z_(i+1), ..., z_(m))).

Thus, in one of the embodiments of the invention, the pre-calculationphase may be characterised in that the transformation of thispre-calculation step uses the formal equivalence min(z₁,z₂) = z₂ + (z₁ -z₂)⁻ to express the function (z₁,z₂) ↦ min(z₁,z₂) as a combination ofsums and compositions of univariate functions.

In a particular embodiment of the invention, this pre-calculation phaseis further characterised in that the formal equivalence is obtained fromthe iteration of the formal equivalence for two variables, for saidfunction when the latter includes three variables or more.

Another very useful multivariate function that can be simply formallydecomposed into a combination of sums and compositions of univariatefunctions is multiplication. A first embodiment is to use for g(z₁,z₂) =z₁ × z₂ the formal equivalence z₁ × z₂ = (z₁ + z₂₎ ²/4 - (z₁ - z₂)²/4,involving the univariate function z ↦ z²/4. Of course, the use of aformal equivalence gives other formal equivalences. Thus, as example, byusing z₁ × z₂ = (z₁ + z₂)²/4 - (z₁ - z₂)²/4,z₁ × z₂ = (z₁ + z₂)²/4 -(z₁ - z₂)²/4 + (z₁ + z₂)²/4 -(z₁ + z₂)²/4 = (z₁ + z₂)²/2 - (z₁ -z₂)²/4 - (z₁ + z₂)²/4 = (z₁ + z₂)²/2 - z₁ ²/2 -z₂ ²/2 is deduced; i.e.,the formal equivalence z₁ × z₂ = (z₁ + z₂)²/2 - z₁ ²/2 - z₂ ²/2,involving the univariate function z ↦ z²/2.

Thus, in one of the embodiments of the invention, the pre-calculationphase may be characterised in that the transformation of thispre-calculation step uses the formal equivalence z₁ × z₂ = (z₁ +z₂)²/4 - (z₁ - z₂)²/4 to express the function (z₁,z₂) ↦ z₁ × z₂ as acombination of sums and compositions of univariate functions.

These embodiments are generalised to m-variate functions for m ≥ 3 byobserving that z₁ × ... × z_(i) × z_(i+1) × ... × z_(m) = (z₁ × ... ×z_(i)) × (z_(i+1) × ... × z_(m)) with 1 ≤ i ≤ m - 1.

In a particular embodiment of the invention, this pre-calculation phaseis further characterised in that the formal equivalence is obtained fromthe iteration of the formal equivalence for two variables, for saidfunction when the latter includes three variables or more.

A second embodiment is to decompose g(z₁,z₂) = |z₁ × z₂| = |z₁| × |z₂|as |z₁ × z₂| = exp(ln|z₁| + ln|z₂|), involving the univariate functionsz ↦ ln|z| and z ↦ exp(z); or else, for an arbitrary base B, such as

|z₁ × z₂| = B^(log_(B)|z₁| + log_(B)|z₂|)

because exp(ln|z₁| + ln|z₂|) = exp

$( {\frac{\log_{B}| z_{1} |}{\log_{B}e} + \frac{\log_{B}| z_{1} |}{\log_{B}e}} ) = e^{\frac{1}{\log_{B}e}{({\log_{B}{|z_{1}|} + \log_{B}{|z_{2}|}})}} = B^{\log_{B}{|z_{1}|} + \log_{B}{|z_{2}|}}$

where e = exp(1) involving the univariate functions z ↦ log_(B)|z| and z↦ B^(z). Herein again, these embodiments are generalised to m-variatefunctions for m ≥ 3 while observing that z₁ × ... × z_(i) × z_(i+1) ×... × z_(m)| = |z₁ × ... × z_(i) × |z_(i+1) × ... × z_(m)| with 1 ≤ i ≤m — 1.

Thus, in one of the embodiments of the invention, the pre-calculationphase may be characterised in that the transformation of thispre-calculation step uses the formal equivalence |z₁ × z₂| =exp(ln|z₁| + ln|z₂|) to express the function (z₁,z₂) ↦ |z₁ × z₂| as acombination of sums and compositions of univariate functions.

In a particular embodiment of the invention, this pre-calculation phaseis further characterised in that the formal equivalence is obtained fromthe iteration of the formal equivalence for two variables, for saidfunction when the latter includes three variables or more.

As described before, the multivariate function(s) given as input aretransformed into a network of multivariate functions. Such a network isnot necessarily unique, even in the case where the transformation isexact.

As example, we have seen hereinabove at least two decompositions of themultivariate function max(x₁,x₂), namely max(x₁,x₂) = x₂ + (x₁ - x₂)⁺and max(x₁,x₂) = (x₁ + x₂ + |x₁-x₂|)/2. Specifically, each of thesetransformations may proceed in detail as follows

-   1. max(x₁,x₂) = x₂ + (x₁ - x₂)⁺    -   assume z₁ = x₁ - x₂ and define g₁(z) = z⁺    -   write max(x₁,x₂) = x₂ + g₁(z₁)-   2. max (x₁,x₂) = (x₁ + x₂ + |x₁ - x₂|/2    -   assume z₁ = x₁ - x₂ and z₂ = x₁ + x₂    -   define g₁(z) = |z| and g₂(z) = z/2    -   write max(x₁,x₂) = g₂(z₃) with z₃ = z₂ + g₁(z₁)

In general, two types of operations are observed in a network ofunivariate functions: sums and evaluations of univariate functions. Whenthe evaluation of the network is done homomorphically on encryptedvalues, the most expensive operations are the evaluations of theunivariate functions because this typically gives rise to abootstrapping step. Consequently, it is interesting to produce networksof univariate functions minimizing these univariate function evaluationoperations.

In the previous example, one can therefore see that the firsttransformation for the “maximum” function [max(x₁,x₂) = x₂ + (x₁ - x₂)⁺]seems to be more advantageous since it only requires one univariatefunction evaluation, namely that of the function g₁(z) = z⁺. Inpractice, the difference is not noticeable because the second univariatefunction in the second transformation does not really need to beevaluated: all it needs is to return 2max(x₁,x₂) = x₁ + x₂ + |x₁- x₂|orelse to integrate this factor into the decoding function at the output.In general, the univariate functions consisting in multiplying by aconstant can be ignored (i) by calculating a multiple of the startingfunction, or (ii) by “absorbing” by composition the constant when thesefunctions are at the input of another univariate function. For example,the multivariate function sin(max(x₁,x₂)) may be written as

-   1. sin(max(x₁,x₂)) = sin(x₂ + (x₁ - x₂)⁺)    -   assume z₁ = x₁ - x₂ and define g₁(z) = z⁺    -   define g₂(z) = sin(z)-   2. write sin(max(x₁,x₂)) = g₂(z₂) with z₂ = x₂ + g₁(z₁)    -   sin(max(x₁,x₂)) = sin((x₁ + x₂ + |x₁ - x₂|)/2)    -   assume z₁ = x₁ - X₂ and Z₂ = x₁ + X₂    -   define g₁(z) = |z| and g₂(z) = sin(z/2)-   3. write sin(max(x₁,x₂)) = g₂(z₃) with z₃ = z₂ + g₁(z₁)

(the multiplication by ½ being “absorbed” by the function g₂(z) =sin(z/2) in the second case).

Apart from the univariate functions of the type g(z) = z + a (additionof a constant a) or of the type g(z) = az (multiplication by a constanta), other situations may give rise to faster evaluations of univariatefunctions.

{g_(k)(z_(ik) )} _(k) denotes the set of univariate functions with theirrespective argument (z_(ik) ∈ ℝ) resulting from the transformation ofƒ₁, ...,ƒ_(q) at the pre-calculation step - some univariate functionsg_(k) may be the same.

Three types of optimisations are considered:

1) The Same Function, the Same Argument

g_(k) = g_(k), and z_(ik) = z_(ik) ,(Type 1). This optimisation isobvious. It consists in reusing results from previous calculations.Thus, if there is k′ < k such that g_(k),(z_(ik) ,) has already beenevaluated and for which g_(k),(z_(ik) ,) = g_(k)(z_(ik) ), the value ofg_(k)(z_(ik) ) must not be recalculated.

2) Different Function, the Same Argument

g_(k) ≠ g_(k′) andz_(ik) = z_(ik) , (Type 2). In some cases, the cost ofthe homomorphic evaluation of two or more univariate function(s) on thesame argument may be less than the sum of the costs of these functionsconsidered separately. Typically, a single bootstrapping step isrequired. In this case, amongst two networks of univariate functionsincluding the same number of univariate functions of the typeg_(k)(z_(ik) ), within multiplicity tolerances, it is advantageous toprefer that one sharing a maximum of arguments. An example illustratesthis situation very well. Consider the homomorphic evaluation of themultivariate function ƒ(x₁,x₂) = max(x₁,x₂) + |x₁ × x₂|. Two possibleembodiments of networks are

-   a. max(x₁,x₂) + |x₁ × x₂| = x₂ + (x₁ - x₂)⁺ + exp(ln|x₁| + ln|x₂|)    -   assume z₁ = x₁ - x₂ and define g₁(z) = z⁺    -   define g₂(z) = ln|z| and g₃(z) = exp(z)    -   write max(x₁, x₂) + |x₁ × x₂| = x₂ + g₁(z₁) + g₃(z₂) with z₂ =        g₂(x₁) + g₂(x₂)-   b. max(x₁,x₂) + |x₁ × x₂| = x₂ + (x₁ - x₂)⁺ + |(x₁ + x₂)²/4 - (x₁ -    x₂)²/4|    -   assume z₁ = x₁ - x₂ and define g₁(z) = z⁺    -   assume z₂ = x₁ + x₂ and define g₂(z) = z²/4 and g₃(z) = |z|    -   write max(x₁,x₂) + |x₁ × x₂| = x₂ + g₁(z₁) + g₃(z₃) with z₃ =        g₂(z₂) - g₂(z₁).

The two embodiments hereinabove include four univariate functionevaluations. However, the second one includes two univariate functionson the same argument, namely g₁(z₁) and g₂(z₁) is therefore preferred.

Sharing of the univariate functions on the same argument is not limitedto the transformations performed by means of an equivalent formalrepresentation. This also applies to digital transformations. It shouldbe recalled that a function defined on a parallelepiped of ℝ^(p) can betransformed into a network of univariate functions. In particular, for afunction ƒ with p variables x₁, ..., x_(p), Sprecher’s algorithm allowsobtaining an approximation of the function ƒ having the following form:

$f( {x_{1},\ldots,x_{p}} ) \approx {\sum\limits_{k = 0}^{K}{g_{k}( {\xi( {x_{1} + ka,\ldots,x_{p} + ka} )} )}}$

with

$\xi( {x_{1} + ka,\ldots,x_{p} + ka} ) = \sum_{i = 1}^{p}\lambda_{i}\Psi( {x_{i} + ka} ).$

In this construction, the so-called “internal” functions Ψ and ξ do notdepend on ƒ, for a given domain of definition. Consequently, if severalmultivariate functions f₁, ..., f_(q) defined on the same domain werehomomorphically evaluated, the homomorphic evaluations of the functionsΨ and ξ do not need to be recalculated when they apply on the sameinputs. This situation also appears for example in the decomposition ofseveral multivariate functions using ridge functions or radialfunctions, when the coefficients (α_(ik)) of the decompositions arefixed.

3) The Same Function, Arguments Differing by an Additive Constant:

g_(k) = g_(k), and z_(ik) = z_(ik) ,+ α_(k) for a known constant α_(k) ≠0 (Type 3). Another situation allowing accelerating the calculations iswhen the same univariate function is applied to arguments differing byan additive constant. For example, still in Sprecher’s construction, thehomomorphic evaluation of ƒ hereinabove involves several homomorphicevaluations of the same univariate function Ψ on variables differingadditively by a constant value, namely x_(i) + kα for 1 ≤ i ≤ p andwhere kα is known. In this case, the value of the encryption ofΨ(x_(i) + kα) for 1 ≤ k ≤ K can be obtained efficiently from theencryption of Ψ(x_(i)); an embodiment is detailed hereinbelow.

In formal terms, in all of the univariate functions with theirrespective argument, {g_(k)(z_(ik))}_(k), resulting from thetransformation of f₁, ..., f_(q) at the pre-calculation step, an elementg_(k) (z_(ik)) meeting one of the three conditions is called“redundancy”

-   1. g_(k) = g_(k′) and z_(ik) = z_(ik′)-   2. g_(k) ≠ g_(k′) and z_(ik) = z_(ik′)-   3. g_(k) = g_(k′) and z_(ik) = z_(ik′) + a_(k) for a known constant    a_(k) ≠ 0

for an index k′ < k.

As illustrated in [FIG. 3 ], in the case of any univariate function ƒ ofa real-valued variable with an arbitrary accuracy in a domain ofdefinition D and with real value in an image ℑ,

f : D ⊆ ℝ → J ⊆ ℝ, x ↦ f(x),

a method according to the invention uses two homomorphic encryptionalgorithms, denoted E and E′. The native spaces of the cleartexts ofwhich are denoted M and M′, respectively. The method is parameterised byan integer N ≥ 1 which quantifies the so-called actual accuracy of theinputs on which the function ƒ is evaluated. Indeed, although the inputsof the domain of definition D of the function ƒ may have an arbitraryaccuracy, these will be represented internally by at most N selectedvalues. This has the direct consequence that the function ƒ will berepresented by a maximum of N possible values. The method is alsoparameterised by encoding functions encode and encode′, where encodetakes as input an element of D and associates thereto an element of Mand encode’ takes as input an element of ℑ and associates thereto anelement of M′. The method is parameterised by a so-called discretisationfunction discretise which takes as input an element of M and associatesthereto an integer. The encoding encode and discretisation discretisefunctions are such that the image of the domain D by the encoding encodefollowed by the discretisation discretise, (discretise ∘ encode) (D), ora set of at most N indices taken from among S = {0,..., N - 1}. Finally,the method is parameterised by a homomorphic encryption scheme having anencryption algorithm ε_(H) the native space of the cleartexts of whichM_(H) has a cardinality of at least N, as well as an encoding functionencode_(H) which takes as input an integer and returns an element ofM_(H). In this case, the method comprises the following steps:

-   A pre-calculation step in which the discretisation of said function    ƒ and the construction of a table T corresponding to this    discretised function ƒ are carried out.    -   In a detailed manner, the domain D of the function is decomposed        into N sub-intervals R₀, ..., R_(N-1), the union of which is        equal to D. For each index i ∈ {0,..., N - 1}, a representative        x(i) ∈ R_(i) is selected and y(i) = ƒ(x(i)) is calculated. The        table T consisting of the N components T[0], ..., T[N - 1] is        returned, with T[i] = y(i) for 0 ≤ i ≤ N - 1.-   A step of so-called homomorphic evaluation of the table in which,    given the ciphertext of an encryption of x, E (encode(x)), for a    real value x ∈ D where the function encode encodes x as an element    of M, the ciphertext E(encode(x)) is converted into the ciphertext    ε_(H)(encode_(H)(ĩ)) for an integer ĩ having as an expected value    the index i with i = (discretise o encode)(x) in the set {0,..., N -    1} if x ∈ R_(i). Starting from the ciphertext ε_(H)(encode_(H)(ĩ))    and from the table T, the ciphertext E′(encode′(T[ĩ])^(~)) is    obtained for an element encode′(T[ȋ])^(~) having, as an expected    value encode′(T[ȋ]) with T[ĩ] = y(ĩ) and where y(ĩ) ≈ ƒ(x). The    cipheretext E′(encode′(T[ĩ])^(~)) is returned as the ciphertext of    an encryption of an approximate value of ƒ(x).

Thus, in one of its embodiments, the invention covers the approximatehomomorphic evaluation, performed digitally by a specifically programmedinformation processing system, of a univariate function ƒ of areal-valued variable x with an arbitrary accuracy in a domain ofdefinition D and with real value in an image I, taking as input theciphertext of en encryption of x, E(encode(x)), and returning theciphertext of an encryption of an approximate value of ƒ(x),E′(encode′(y)), with y ≈ ƒ(x), where E and E′ are homomorphic encryptionalgorithms whose respective native space of the cleartexts is M and M′,which evaluation is parameterised by:

-   an integer N ≥ 1 quantifying the actual accuracy of the    representation of the variables at the input of the function ƒ to be    evaluated,-   an encoding function encode taking as input an element of the domain    D and associating thereto an element of M,-   an encoding function encode’ taking as input an element of the image    ℑ and associating thereto an element of M′,-   a discretisation function discretise taking as input an element of M    and associating thereto an index represented by an integer,-   a homomorphic encryption scheme having an encryption algorithm ε_(H)    the native space of the cleartexts of which M_(H) has a cardinality    of at least N,-   an encoding function encode_(H) taking as input an integer and    returning an element of M_(H),

so that the image of the domain D by the encoding encode followed by thediscretisation discretise, (discretise o encode) (D), is a set of atmost N indices selected from S = {0,..., N -1},

With these parameters, said approximate homomorphic evaluation of aunivariate function ƒ requires the implementation of the two successivefollowing steps by the specifically programmed information processingcomputer system:

-   1. a step of pre-calculating a table corresponding to said    univariate function ƒ, consisting in    -   a. decomposing the domain D into N chosen subintervals R₀,...,        R_(N-1) the union of which is D,    -   b. for each index i in S = {0,..., N - 1}, determining a        representative x(i) in the sub-interval R_(i) and calculating        the value y(i) = ƒ(x(i)),    -   c. returning the table T consisting of the N components T[0],        ..., T[N - 1], with T[i] = y(i) for 0 ≤ i ≤ N - 1 ;-   2. a step of homomorphic evaluation of the table consisting in    -   a. converting the ciphertext E(encode(x)) into the ciphertext        ε_(H)(encode_(H)(ĩ)) for an integer ĩ having as an expected        value the index i = (discretise o encode) (x) in the set S =        {0,..., N - 1} if x ∈ R_(i),    -   b. obtaining the ciphertext E′(encode′(T[ĩ])^(~)) for an element        encode′(T[ĩ])^(~) having as an expected value encode′(T[i]),        starting from the ciphertext ε_(H)(encode_(H)(ĩ)) and from the        table T,    -   c. returning E′(encode′(T[ĩ])^(~)).

When the domain of definition D of the function ƒ to be evaluated is thereal interval [x_(min), x_(max)), the N sub-intervals R_(i) (for 0 ≤ i ≤N - 1) covering D can be chosen as the semi-open intervals

$R_{i} = \lbrack {\frac{i}{N}( {x_{\max} - x_{\min}} ) + x_{\min},\frac{i + 1}{N}( {x_{\max} - x_{\min}} ) + x_{\min}} )$

splitting D regularly. Several choices are possible for therepresentative x := x(i) of the interval R_(i). For example, it ispossible to consider the midpoint of each interval, which is given by

$x(i)\mspace{6mu} = \mspace{6mu}( {x_{\max}\mspace{6mu} - \mspace{6mu} x_{\min}} )\frac{2i + 1}{2N}\mspace{6mu} + \mspace{6mu} x_{\min}\mspace{6mu} \in \mspace{6mu} R_{i}( {\text{with}\mspace{6mu}\text{0}\mspace{6mu} \leq \mspace{6mu} i\mspace{6mu} \leq \mspace{6mu} N\mspace{6mu} - \mspace{6mu} 1} ).$

Another choice is to select for x(i) a value in R_(i) such that ƒ(x(i))is close to the average of ƒ(x) over the interval R_(i) or else to anaverage weighted by a given prior distribution of the x over theinterval R_(i) for each 0 ≤ i ≤ N - 1, or to the median value.

Thus, in one of the embodiments of the invention, the approximatehomomorphic evaluation of the univariate function ƒ is furthercharacterised in that

-   the domain of definition of the function ƒ to be evaluated is given    by the real interval-   D = [x_(min), x_(max)),-   the N intervals R_(i) (for 0 ≤ i ≤ N - 1) covering the domain D are    the semi-open sub-intervals-   $R_{i}\mspace{6mu} = \mspace{6mu}\lbrack {\frac{i}{N}( {x_{\max}\mspace{6mu} - \mspace{6mu} x_{\min}} )\mspace{6mu} + \mspace{6mu} x_{\min},\mspace{6mu}\frac{i + 1}{N}( {x_{\max}\mspace{6mu} - \mspace{6mu} x_{\min}} )\mspace{6mu} + \mspace{6mu}( x_{\min} )} ),$-   splitting D in a regular manner.

The choice of the algorithm ε_(H) of the encoding function encode_(H)has a predominant role in the conversion of E(encode(x)) intoε_(H)(encode_(H)(ĩ)). It should be recalled that for x ∈ D, we have(discretise o encode) (x) ∈ S where S = {0,..., N - 1}. An importantcase is when the elements of S are seen as the elements of a subset, notnecessarily a subgroup, of an additive group. This additive group isdenoted Z_(M) (the set of integers {0, ..., M - 1} provided with theaddition modulo M) for an integer M ≥ N.

Thus, in one of the embodiments of the invention, the approximatehomomorphic evaluation of the univariate function ƒ is furthercharacterised in that the set S is a subset of the additive group Z_(M)for an integer M ≥ N.

There are several ways of representing the group Z_(m). Thus, Ducas andMiccipanio in the aforementioned article of EUROCRYPT 2015 represent theelements of Z_(M) as the exponents of a variable X; to an element i ofZ_(m) is associated an element X^(i), with X^(M) = X⁰ = 1and X^(j) ≠ 1for any 0 < j < M. It is said that X is an M-th primitive root of theunit. This representation allows switching from an additive notationinto a multiplicative notation: for all elements i, j ∈ Z_(M), theelement i + j (modM) is associated to the element

X^(i + j) = X^(i) ⋅ X^(j) (mod (X^(M) − 1)).

The modulo multiplication operation (X^(M) — 1) induces a groupisomorphism between the additive group Z_(m) and the set {1, X,...,X^(M-1)} of the M-th roots of the unit. When M is even, the relationshipX^(M) = 1 implies X^(M/2) = -1. We then have X^(i+j) = X^(i) X^(j) (mod(X^(M/2) + 1)) for i, j ∈ Z_(m) and, the set of the M-th roots of theunit is {±1, ±X,..., ±X^((M/2)-1)}.

Thus, in one of the embodiments of the invention, the approximatehomomorphic evaluation of the univariate function ƒ is furthercharacterised in that the group Z_(m) is represented multiplicatively asthe powers of a primitive M-th root of the unit denoted X, so that tothe element i of Z_(m) is associated the element X^(i); all of M-throots of the unit {1,X,...,X^(M-1)} forming an isomorphic group to Z_(M)for multiplication modulo (X^(M) — 1).

In the case where the homomorphic encryption algorithm E is given by anLWE-type encryption algorithm applied to the torus

   = ℝ/ℤ

, we have

ℳ  =  

and, if we denote µ = encode(x) with x ∈ D for an encoding functionencode with a value in

, we have E(encode(x)) = (α₁, ..., α_(n), b) where α_(j) ∈ T (for 1 ≤ j≤ n) and

$b\mspace{6mu} = \mspace{6mu}{\sum_{j = 1}^{n}{s_{j}\mspace{6mu} \cdot \mspace{6mu} a_{j}}}\mspace{6mu} + \mspace{6mu}\mu\mspace{6mu} +$

e (mod 1) with e a small random noise on R.

Thus, in one of the embodiments of the invention, the approximatehomomorphic evaluation of the univariate function ƒ is furthercharacterised in that the homomorphic encryption algorithm E is given byan LWE-type encryption algorithm applied to the torus T = R/Z and has asnative space of cleartexts M = T.

The discretization function discretise is then parameterised for aninteger M ≥ N as the function which, to an element t of the torus,associates the integer rounding of the product M × t modulo M, where M ×t is calculated in R; written in the mathematical form

discretise: 𝕋 → ℤ,  t ↦ discretise(t) = ⌈M × t⌉ mod M .

This discretisation function naturally extends to vectors of the torus.Applied to the vector c = (α₁, ..., α_(n), b) of T^(n+1), we obtain thevector c̅ of (Z_(M))^(n+1) given by c̅ = (a₁ , ..., a_(n) , b̅) with a_(j)= [M × a_(j)] mod M (for 1 ≤ j ≤ n) and b̅ = [M × b] mod M. In a moredetailed manner, if we define i = [M × µ] mod M and e̅ = [M × e̅], we have

$\overline{b}\mspace{6mu} = \mspace{6mu}\lbrack {M\mspace{6mu} \times \mspace{6mu}( {{\sum_{j = 1}^{n}{s_{j}\mspace{6mu} \cdot \mspace{6mu} a_{j}\mspace{6mu} + \mspace{6mu}\mu\mspace{6mu} + \mspace{6mu} e}}\mspace{6mu}( {{mod}\mspace{6mu} 1} )} )} \rbrack\mspace{6mu}{mod}\mspace{6mu} M$

$= \mspace{6mu}\lbrack {M\mspace{6mu} \times \mspace{6mu}( {{\sum_{j = 1}^{n}{s_{j}\mspace{6mu} \cdot \mspace{6mu} a_{j}}}\mspace{6mu} + \mspace{6mu}\mu\mspace{6mu} + \mspace{6mu} e\mspace{6mu} + \mspace{6mu}\delta} )} \rbrack\mspace{6mu}{mod}\mspace{6mu} M$

for a given δ in Z

$= \mspace{6mu}\lbrack {M\mspace{6mu} \times \mspace{6mu}( {{\sum_{j = 1}^{n}s_{j}}\mspace{6mu} \cdot \mspace{6mu} a_{j}\mspace{6mu} + \mspace{6mu}\mu\mspace{6mu} + \mspace{6mu} e} )} \rbrack\mspace{6mu}{mod}\mspace{6mu} M$

$= \mspace{6mu}\lbrack {{\sum_{j = 1}^{n}s_{j}}\mspace{6mu} \cdot \mspace{6mu}( {M\mspace{6mu} \cdot \mspace{6mu} a_{j}} )\mspace{6mu} + \mspace{6mu} M\mspace{6mu} \cdot \mspace{6mu}\mu\mspace{6mu} + \mspace{6mu} M\mspace{6mu} \cdot \mspace{6mu} e} \rbrack\mspace{6mu}{mod}\mspace{6mu} M$

$= \mspace{6mu}( {{\sum_{j = 1}^{n}s_{j}}\mspace{6mu}\overline{a_{j}}\mspace{6mu} + \mspace{6mu} i\mspace{6mu} + \mspace{6mu}\overline{e}\mspace{6mu} + \mspace{6mu}\Delta} )\mspace{6mu}{mod}\mspace{6mu} M$

for a small Δ in Z ; the signed integer Δ captures the rounding errorand is called “drift”. The expected value of the drift is zero.Moreover, of |e| < 1/(2 M) then e̅ = 0. We assume

$\widetilde{\iota}\mspace{6mu} = \mspace{6mu} i\mspace{6mu} + \mspace{6mu}\Delta\mspace{6mu}\text{with}\mspace{6mu}\Delta\mspace{6mu} \in \mspace{6mu}\{ {- \mspace{6mu}\lceil \frac{M}{2} \rceil\mspace{6mu} + \mspace{6mu} 1,\mspace{6mu}\ldots\mspace{6mu},\mspace{6mu}\lfloor \frac{M}{2} \rfloor} \},$

which ĩ has as an expected value the integer i = [M × µ] modM =discretise(µ). The encoding function encode is parameterised so that itsimage is contained in the sub-interval

$\lbrack {0,\mspace{6mu}\frac{N}{M}\mspace{6mu} - \mspace{6mu}\frac{1}{2M}} )$

of the torus. In this manner, if x ∈ D then

$\mu\mspace{6mu} = \mspace{6mu}\text{encode}(x)\mspace{6mu} \in \mspace{6mu}\lbrack {0,\mspace{6mu}\frac{N}{M}\mspace{6mu} - \mspace{6mu}\frac{1}{2M}} )$

and i = discretise(µ) = [M × µ] mod M ∈ [0, N). Indeed, it is verifiedthat if

$0\mspace{6mu} \leq \mspace{6mu}\mu\mspace{6mu} < \mspace{6mu}\frac{N}{M}\mspace{6mu} - \mspace{6mu}\frac{1}{2M}$

then [M × µ] ≥ 0 and

$\lbrack {M\, \times \mspace{6mu}\mu} \rbrack\quad \leq \mspace{6mu} M\mspace{6mu} \times \mspace{6mu}\mu\mspace{6mu} + \mspace{6mu}\frac{1}{2}$

$< \mspace{6mu} M\mspace{6mu} \times \mspace{6mu}( {\frac{N}{M}\mspace{6mu} - \mspace{6mu}\frac{1}{2M}} )\mspace{6mu} + \mspace{6mu}\frac{1}{2}\mspace{6mu} = \mspace{6mu} N$

and therefore, since N ≤ M, [M × µ] mod M = [M × µ] ∈ [0, N). Hence, forthese functions discretise and encode, we actually have (discretise oencode) (D) ⊆ {0,..., N - 1} = S, in other words (discretise o encode)(D) is a subset of the set of the indexes S = {0,..., N - 1}. Thus, inone of the embodiments of the invention, the approximate homomorphicevaluation of the univariate function ƒ is further characterised in that

-   the encoding function encode has its image contained in the    sub-interval-   $\lbrack {0,\frac{N}{M}\mspace{6mu} - \mspace{6mu}\frac{1}{2M}} )$-   of the torus, and-   the discretisation function discretise applies an element t of the    torus to the integer rounding of the product M × t modulo M, where M    × t is calculated in R; in mathematical form, discretise: T → Z, t ↦    discretise(t) = [M × t] mod M.

It should be noticed that when the domain of definition of the functionƒ to be evaluated is the real interval D = [x_(min), x_(max)) and thatthe native space of cleartexts M is the torus T, a possible choice forthe encoding function encode is encode:

$ D\mspace{6mu}arrow\mspace{6mu}\mathbb{T},x\mspace{6mu}\mapsto\mspace{6mu}\frac{2N - 1}{2M}\mspace{6mu}\frac{x - x_{\min}}{x_{\max} - x_{\min}}. $

We then have encode

$(x)\mspace{6mu} \in \mspace{6mu}\lbrack {0,\mspace{6mu}\frac{N}{M}\mspace{6mu} - \mspace{6mu}\frac{1}{2M}} )$

for x ∈ D; we note that

$\frac{N}{M}\mspace{6mu} - \mspace{6mu}\frac{1}{2M}\mspace{6mu} = \mspace{6mu}\frac{2N - 1}{2M}.$

Thus, in one of the embodiments of the invention, the approximatehomomorphic evaluation of the univariate function ƒ is furthercharacterised in that when the domain of definition of the function ƒ isthe real interval D = [x_(min), x_(max)), the encoding function encodeis encode :

$\begin{array}{l} \lbrack {x_{\min},\mspace{6mu} x_{\max}} )\mspace{6mu}arrow\mspace{6mu}\lbrack {0,\mspace{6mu}\frac{N}{M}\mspace{6mu} - \mspace{6mu}\frac{1}{2M}} )\mspace{6mu},\mspace{6mu} x\mspace{6mu}\mapsto\mspace{6mu}\text{encode}(x)\mspace{6mu} = \mspace{6mu}  \\{\frac{2N - 1}{2M}\frac{x\mspace{6mu} - \mspace{6mu} x_{\min}}{x_{\max}\mspace{6mu} - \mspace{6mu} x_{\min}}.}\end{array}$

The construction (discretise o encode) (D) gives rise to a firstembodiment of the conversion of E(encode(x)) into ε_(H)(encode_(H)(ĩ)).It supposes that the elements of the set S are seen directly as integersof Z_(M). As an encoding function encode_(H), we consider the identityfunction, encode_(H): Z_(M) ➙ Z_(M), i ↦ i. With the previous notations,if we denote µ = encode(x) ∈ T and its LWE ciphertext on the torus c =(α₁, ..., α_(n), b) with

$b\mspace{6mu} = \mspace{6mu}{\sum_{j = 1}^{n}s_{j}}\mspace{6mu} \cdot \mspace{6mu} a_{j}\mspace{6mu} + \mspace{6mu}\mu\mspace{6mu} + \mspace{6mu} e$

(mod 1), then ε_(H)(encode_(H)(ĩ)) ∈ (Z_(M))^(n+1) is defined as

$\begin{matrix}{\varepsilon_{H}( {\text{encode}_{H}( \widetilde{\iota} )} )\mspace{6mu} = \mspace{6mu}\varepsilon_{H}( \widetilde{\iota} )} \\{= \mspace{6mu}( {\overline{a_{1}},\mspace{6mu}\ldots\mspace{6mu},\mspace{6mu}\overline{a_{n}},\mspace{6mu}\overline{b}} )}\end{matrix}$

with a_(j) = M × a_(j) mod M for 1 ≤ j ≤ n and b̅ = M × b mod M. Itshould be noted that

$\overline{b}\mspace{6mu} =$

$( {{\sum_{j = 1}^{n}s_{j}}\mspace{6mu}\overline{a_{j}}\mspace{6mu} + \mspace{6mu}\widetilde{\iota}\mspace{6mu} + \mspace{6mu}\overline{e}} )$

mod M. In this case, we observe that ε_(H) is an LWE-type encryptionalgorithm on the ring Z_(M); the encryption key is (S₁,..., S_(n)) ∈{0,1}^(n).

Thus, in one of the embodiments of the invention, the approximatehomomorphic evaluation of the univariate function ƒ is furthercharacterised in that the homomorphic encryption algorithm ε_(H) is anLWE-type encryption algorithm and the encoding function encode_(H) isthe identity function.

A second embodiment of the conversion of E(encode(x)) intoε_(H)(encode_(H)(ĩ)) is obtained by considering the M-th roots of theunit; this allows working multiplicatively. More specifically, it isassumed that M is even and an arbitrary polynomial p := p(X) of T_(M/2)[X] is fixed. The encoding function encode_(H) is the function

encode_(H) : ℤ_(M) → 𝕋_(M/2)[X], i ↦ encode_(H)(i) = X^(−i) ⋅ p(X)

and the encryption algorithm ε_(H) is an RLWE-type encryption algorithmon Z_(M/2) [X]-modulus T_(M/2) [X]. The conversion for this choice ofencode_(H) and of ε_(H) uses the re-encryption technique. We denotebk[j] ∈ T_(M/2)[X]^((k+1)ℓ×(k+1)) the RGSW-type ciphertext of s_(j), for1 ≤ j ≤ n, under a key (s′₁, ..., s′_(k)) ∈ B_(M/2)[X]^(k). Theconversion of E(encode(x)) = (a₁, ..., a_(n), b) ∈ T^(n+1) into ε_(H)(encode_(H) (ĩ) is given by the following procedure:

-   obtain the conversion public keys bk[1], ..., bk[n]-   calculate a _(j) = M × a_(j) mod M for 1 ≤ j ≤ n and b̅ = M × b mod M-   initialise c′₀ ← (0,..., 0, X⁻ ^(b) p(X)) ∈ T_(M/2) [X]^(k+1)-   for j ranging from 1 to n, evaluate c′_(j) ← ((X ^(aj) - 1)    bk[j] + G) ⍰ c′_(j-1) (in T_(M/2)[X]^(k+1))-   return c′_(n) as the result ε_(H)(encode_(H)(ĩ)).

In this case, it is observed that ε_(H) is an RLWE-type encryptionalgorithm on the modulus T_(M/2) [X]; the encryption key is (s′₁, ...,s′_(k)) ∈ _(M/2)[X]^(k). Indeed, if we set C_(j) an RGSW-type encryptionof X^(sj) ^(a) ^(j) under the key (s′₁, ..., s′_(k)) (for 1 ≤ j ≤ n), inmathematical form C_(j) = RGSW(X^(sj) ^(a) ^(j)), we have

$\begin{matrix} \text{C}_{j}\quadarrow\,\text{RGSW}( X^{s_{j}\overline{a_{j}}} )  \\ arrow\mspace{6mu}\text{RGSW}\mspace{6mu}( {s_{j}( {X^{\overline{a_{j}}} - 1} )\mspace{6mu} + \mspace{6mu} 1} )  \\ arrow\mspace{6mu}\text{RGSW}\mspace{6mu}( {s_{j}( {X^{\overline{a_{j}}}\mspace{6mu} - \mspace{6mu} 1} )} )\mspace{6mu} + \mspace{6mu}\text{RGSW}\mspace{6mu}(1)  \\ arrow\mspace{6mu}( {X^{\overline{a_{j}}}\mspace{6mu} - \mspace{6mu} 1} )\mspace{6mu} \cdot \mspace{6mu}\text{RGSW}( s_{j} )\mspace{6mu} + \mspace{6mu}\text{RGSW}\mspace{6mu}(1)  \\ arrow\mspace{6mu}( {X^{\overline{a_{j}}}\mspace{6mu} - \mspace{6mu} 1} )\mspace{6mu} \cdot \mspace{6mu}\text{bk}\lbrack j\rbrack\mspace{6mu} + \mspace{6mu}\text{G}\mspace{6mu}\text{.} \end{matrix}$

Thus, if we denote RLWE(m) an RLWE-type encryption for m ∈ T_(M/2)[X],under the key (s′₁, ..., s′k), we have

$\begin{matrix} \text{c'}_{1}\quadarrow\mspace{6mu}\text{C}_{1}\mspace{6mu}\boxed{\cdot}\,\text{c}\prime_{0}\mspace{6mu} = \mspace{6mu}\text{RGSW}\mspace{6mu}( X^{s_{1}\overline{a_{1}}} )\mspace{6mu}\boxed{\cdot}\mspace{6mu}\text{RLWE}\,( {X^{- \overline{b}}\mspace{6mu} \cdot \mspace{6mu} p(X)} )  \\ arrow\mspace{6mu}\text{RLWE}\mspace{6mu}( {X^{- \overline{b} + s_{1}\overline{a_{1}}} \cdot \mspace{6mu} p(X)} ) \end{matrix}$

and, by induction,

$\begin{matrix} \text{c'}_{n}\quadarrow\mspace{6mu}\text{RLWE}\mspace{6mu}( {X^{- \overline{b} + s_{1}\overline{a_{1}} + \cdots + s_{n}\overline{a_{n}}}\mspace{6mu} \cdot \mspace{6mu} p(X)} )  \\ arrow\mspace{6mu}\varepsilon_{H}( {\text{encode}_{H}( \widetilde{\iota} )} )\mspace{6mu}. \end{matrix}$

Thus, in one of the embodiments of the invention, the approximatehomomorphic evaluation of the univariate function f, parameterised by aneven integer M, is further characterised in that the homomorphicencryption algorithm ε_(H) is an RLWE-type encryption algorithm and theencoding function encode_(H) is the function encode_(H): ℤ_(M) → T_(M/2)[X], i ↦ encode_(H)(i) = X^(-i). p(X) for an arbitrary polynomial p ofT_(M/2) [X].

It is now possible to perform the homomorphic evaluation of the table Tfrom ε_(H)(encode_(H) (ĩ)), according to either one of the previous twoembodiments. In both cases, we suppose that E is an LWE-type algorithmon the torus and that M is even and it is equal to 2N.

-   1. The first case supposes that the encoding function encode_(H) is    encode_(H): ℤ_(2N) → ℤ_(2N), i ↦ i and that the algorithm ε_(H) is    an LWE-type encryption algorithm on ℤ_(2N). In this first case, we    have ε_(H)(encode_(H)(ĩ)) = (a̅₁̅, ..., a̅_(n)̅, b̅). A fist substep    consists in:    -   forming the polynomial q ∈ T_(N)[X] given by q(X) = T′[0] +        T′[1]X + ⋯ + T′[N-1]X^(N-1) =    -   ∑_(j = 0)^(n − 1)T′[j]X^(j)    -   with T′[j] = encode′(T[j]) to 0 ≤ j ≤ N-1    -   obtain the conversion public keys bk[1], ..., bk[n]    -   initialise c″₀ ← (0, ..., 0, X^(-b̅) . q(X)) ∈ T_(N)[X]^(k+1)    -   for j ranging from 1 to n, evaluate c″_(j) ← ((X^(a̅j̅) - 1) ·        bk[j] + G) c″_(j-1) (in T_(N)[X]^(k+1))    -   assume d′ = c″_(n)    -   returning d′ = RLWE (X^(-ĩ) · q(X)).-   2. The second case supposes the encoding function encode_(H): ℤ_(2N)    → T_(N)[X], i ↦ X^(-i). p(X) for an arbitrary polynomial p := p(X) ∈    T_(N)[X] and that the algorithm ε_(H) is an RLWE-type encoding    algorithm on T_(N)[X] In this second case, we have ε(encode_(H)(ĩ))    = RLWE(X^(-ĩ) · p(X)) for the arbitrary polynomial p ∈ T_(N)[X]. A    first substep consists in:    -   selecting a polynomial P := P(X) ∈ ℤ_(N) [X] such that P · p ≈ q        with q ∈ T_(N)[X] given by    -   q(X) = T′[0] + T′[1]X + ⋯ + T′[N − 1]X^(N − 1) = ∑_(j = 0)^(N − 1)T′[j]X^(j)    -   with T′[j] = encode′(T[j]) to 0 ≤ j ≤ N - 1    -   evaluate d′ ← P · RLWE(X^(-ĩ) · p(X))    -   return d′ = RLWE(X^(-ĩ) · (P(X) · p(X))) with P(X) · p(X) ≈        q(X).

In particular, it should be noted that, for an integer L > 1, if

$p(X)\text{=}( {1 + X + ... + X^{N - 1}} )\mspace{6mu} \cdot \mspace{6mu}\frac{1}{2L}$

then the choice

$\begin{array}{l}{P(X)\mspace{6mu} = \mspace{6mu}{\sum\limits_{j = 0}^{N - 1}{P_{j}X^{j}}}\mspace{6mu}\text{avec}\mspace{6mu}} \\\{ {}_{P_{j}\mspace{6mu} = \mspace{6mu}{\lbrack{L\mspace{6mu} \times \mspace{6mu}{({T\prime\mspace{6mu}{\lbrack j\rbrack}\mspace{6mu} - \mspace{6mu} T\prime\mspace{6mu}{\lbrack{j - 1}\rbrack}})}}\rbrack}\quad\text{pour}\mspace{6mu}\text{1}\mspace{6mu} \leq \mspace{6mu}\text{j}\mspace{6mu} \leq \mspace{6mu}\text{N}\mspace{6mu} - \mspace{6mu} 1}^{P_{0}\mspace{6mu} = \mspace{6mu}{\lbrack{L\mspace{6mu} \times \mspace{6mu}{({T\prime\mspace{6mu}{\lbrack 0\rbrack}\mspace{6mu} + \mspace{6mu} T\prime\mspace{6mu}{\lbrack{N - 1}\rbrack}})}}\rbrack}} )\end{array}$

(where the multiplication by L is calculated in ℝ) implies P(X) · p(X) ≈T′[0] + T′[1]X + ··· + T′[N - 1]X^(N-1). Indeed, it is observed that forthis choice of the polynomial p we have

$\begin{array}{l}{P(X)\mspace{6mu} \cdot \mspace{6mu} p(X)\quad} \\{= \mspace{6mu}( {P_{0}\mspace{6mu} + \mspace{6mu} P_{1}X\mspace{6mu} + \mspace{6mu} P_{2}X^{2}\mspace{6mu} + \mspace{6mu}\cdots\mspace{6mu} + \mspace{6mu} P_{N - 2}X^{N - 2}\mspace{6mu} + \mspace{6mu} P_{N - 1}X^{N - 1}} )\mspace{6mu}.}\end{array}$

$\begin{array}{l}{\quad\quad( {\frac{1}{2L}( {1\mspace{6mu} + \mspace{6mu} X\mspace{6mu} + \mspace{6mu} X^{2}\mspace{6mu} + \mspace{6mu}\cdots\mspace{6mu} + \mspace{6mu} X^{N - 2}\mspace{6mu} + \mspace{6mu} X^{N - 1}} )} )} \\{= \mspace{6mu}( ( {P_{0}\mspace{6mu} - \mspace{6mu} P_{1}\mspace{6mu} - \mspace{6mu} P_{2}\mspace{6mu} - \mspace{6mu}\cdots\mspace{6mu} - \mspace{6mu} P_{N - 2}\mspace{6mu} - \mspace{6mu} P_{N - 1}} ) )} \\{\quad\quad + \mspace{6mu}( {P_{0}\mspace{6mu} + \mspace{6mu} P_{1}\mspace{6mu} - \mspace{6mu} P_{2}\mspace{6mu} - \mspace{6mu}\cdots\mspace{6mu} - \mspace{6mu} P_{N - 2}\mspace{6mu} - \mspace{6mu} P_{N - 1}} )X} \\{\quad\quad + \mspace{6mu}( {P_{0}\mspace{6mu} + \mspace{6mu} P_{1}\mspace{6mu} + \mspace{6mu} P_{2}\mspace{6mu} - \mspace{6mu}\cdots\mspace{6mu} - \mspace{6mu} P_{N - 2}\mspace{6mu} - \mspace{6mu} P_{N - 1}} )X^{2}} \\{\quad\quad + \mspace{6mu}\cdots} \\{\quad\quad + \mspace{6mu}( {P_{0}\mspace{6mu} + \mspace{6mu} P_{1}\mspace{6mu} + \mspace{6mu} P_{2}\mspace{6mu} + \mspace{6mu}\cdots\mspace{6mu} + \mspace{6mu} P_{N - 2}\mspace{6mu} - \mspace{6mu} P_{N - 1}} )X^{N - 2}} \\{\quad\quad + \mspace{6mu}( {P_{0}\mspace{6mu} + \mspace{6mu} P_{1}\mspace{6mu} + \mspace{6mu} P_{2}\mspace{6mu} + \mspace{6mu}\cdots\mspace{6mu} + \mspace{6mu} P_{N - 2}\mspace{6mu} + \mspace{6mu} P_{N - 1}} )( X^{N - 1} )\mspace{6mu} \cdot \mspace{6mu}\frac{1}{2L}} \\{\approx \mspace{6mu}( {\lbrack {2L\mspace{6mu} \times \mspace{6mu} T\prime\lbrack 0\rbrack} \rbrack\mspace{6mu} + \mspace{6mu}\lbrack {2L\mspace{6mu} \times \mspace{6mu} T\prime\lbrack 1\rbrack} \rbrack X\mspace{6mu} + \mspace{6mu}\cdots\mspace{6mu} + \mspace{6mu}\lbrack {2L\mspace{6mu} \times \mspace{6mu} T\prime\lbrack {N - 1} \rbrack} \rbrack X^{N - 1}} )\mspace{6mu} \cdot \mspace{6mu}\frac{1}{2L}} \\{\approx \mspace{6mu} T\prime\mspace{6mu}\lbrack 0\rbrack\mspace{6mu} + \mspace{6mu} T\prime\lbrack 1\rbrack X\mspace{6mu} + \mspace{6mu}\cdots\mspace{6mu} + \mspace{6mu} T\prime\mspace{6mu}\lbrack {N - 1} \rbrack X^{N - 1}\mspace{6mu} = \mspace{6mu} q(X)}\end{array}$

while noting that, for

$0\mspace{6mu} \leq \mspace{6mu} r\mspace{6mu} \leq \, N\mspace{6mu} - \mspace{6mu} 1,\,{\sum_{j = 0}^{r}P_{j}}\mspace{6mu} = \mspace{6mu} P_{0}\mspace{6mu} + \mspace{6mu}{\sum_{j = 1}^{r}P_{j}}\mspace{6mu} \approx \mspace{6mu}\lbrack {L\mspace{6mu} \times \mspace{6mu}( {T\prime\lbrack 0\rbrack\mspace{6mu} + \mspace{6mu} T\prime\lbrack {N\mspace{6mu} -} )} )} )$

1]) + L × T′[N - 1])and

$- {\sum_{j = r + 1}^{N - 1}P_{j}} \approx \lceil {L \times} \rceil$

(T′[r] - T′ [N - 1]). It should be noticed that P · p ≈ q; the equalitybeing verified within a given drift, which has an expected value equalto zero.

In both cases, in return of this first substep of the homomorphicevaluation of the table T, an RLWE-type ciphertext d′ of the expectedpolynomial X^(-ĩ) · q(X) is obtained under a key (s′₁,..., s′_(k)) ∈B_(N)[X]^(k+1), which key being that one used to produce the RGSW-typeciphertexts bk[j] (1 ≤ j ≤ n) encrypting the bits s_(j) of the secretkey (s₁, ..., s_(n)) ∈ {0,1}^(n). By the form of q(X), the constant termof the polynomial X^(-ĩ) · q(X) = X^(-ĩ) · (T′[0] + T′[1]X + ··· +T′[N]X^(N-1)) is T′[ĩ] = encode′(T[ĩ]). We denote (a′₁, ..., a′_(k), b′)∈ T_(N)[X]^(k+1) the components of the ciphertext d′.

A second sub-step (common to both cases) of the homomorphic evaluationof the table T extracts an LWE-type ciphertext of T′[ĩ] = encode′(T[ĩ])from said RLWE ciphertext:

-   for each 1 ≤ j ≤ k, write the polynomial a′_(j) := a′_(j)(X) ∈    T_(N)[X] as a′_(j)(X)-   ${\sum_{l = 0}^{N - 1}( {a^{\prime}}_{j} )}_{l}X^{l}$-   with (a′_(j))_(l) ∈ T (for 0 ≤ l ≤ N - 1)-   write the polynomial b′ := b′(X) ∈ T_(N)[X] as-   $b^{\prime}(X) = {\sum_{l = 0}^{N - 1}{( b^{\prime} )_{l}X^{l}}}$-   with (b′)_(l) ∈ T (for 0 ≤ l ≤ N - 1)-   define the element vector on torus (a″₁, ..., a″_(kN)) ∈ T^(kN)    where-   $\{ \begin{array}{l}    {a^{''}\quad_{1 + jN} = ( a_{j} )_{0}\quad\quad\quad\text{pour}\mspace{6mu} 1 \leq j \leq k} \\    {a^{''}\quad_{1 + l + jN} = - ( a_{j} )_{N - l}\mspace{6mu}\mspace{6mu}\mspace{6mu}\text{pour}\mspace{6mu} 1 \leq j \leq k\mspace{6mu}\text{et}\mspace{6mu} 1 \leq l \leq N - 1}    \end{array} )$-   return the element vector on the torus (a″₁, ..., a″_(kN), b″) ∈    T^(kN+1) where b″ = (b′)₀ is the constant term of the polynomial b′.

If, for each 1 ≤ j ≤ k, the polynomial s′_(j) := s′_(j)(X) ∈ B_(N)[X] iswritten as

$s\prime_{j}(X) = {\sum_{l = 0}^{N - 1}( {s^{\prime}}_{j} )}_{l}X^{l}$

with (s′_(j))_(l) ∈ B = {0,1} (for 0 ≤ l ≤ N - 1), one can see that thereturned vector (a″₁, ..., a″_(kN), b″) is an LWE-type ciphertext on thetorus of T′[ĩ] = encode′(T[ĩ]) under the key ((s′₁)₀, (s′₁)₁,...,(s′₁)_(N-1),..., (s′_(k))₀, (s′k)₁,..., (s′_(k))_(N-1)) ∈ {0,1}^(kN).This defines the encryption algorithm E′; we thus have (a″₁, ...,a″_(kN), b″) = E′(encode′(T[ĩ])). In this case, the corresponding nativespace of cleartexts is M′ = T. Hence, since T[ĩ] = y(ĩ) and y(ĩ) ≈ f(x),we actually obtain an LWE-type ciphertext of an encryption with anapproximate value of f(x).

Upon completion of this calculation, the ciphertextE′(encode′(T[ĩ])^(~)) can be decrypted and decoded to give anapproximate value of f(x).

Thus, in one of the embodiment of the invention, the approximatehomomorphic evaluation of the univariate function f, parameterised by aneven integer M equal to 2N, is further characterised in that an LWE-typeciphertext E′(encode′(T[ĩ])) on the torus is extracted from an RLWEciphertext approximating the polynomial

$q(X) = T\prime\lbrack 0\rbrack + T^{\prime}\lbrack 1\rbrack X + \cdots + T^{\prime}\lbrack {N - 1} \rbrack X^{N - 1} = {\sum_{j = 0}^{N - 1}T^{\prime}}\lbrack j\rbrack X^{j}$

in T_(N)[X] and where T′[j] = encode′(T[j]), 0 ≤ j ≤ N - 1.

When the image J of the function f to be evaluated is the real interval[y_(min), y_(max)) and the native space of cleartexts M′ for an LWE-typeencryption is the torus T, a possible choice for the encoding functionencode′ is encoded

$ Jarrow\mathbb{T},y\mapsto\text{encod}\text{e}^{\prime}(y) = \frac{y - y_{\min}}{y_{\max} - y_{\min}}. $

In this case, the corresponding decoding function is given by y′ ↦y′(y_(max) - y_(min)) + y_(min).

Thus, in one of the embodiments of the invention, the approximatehomomorphic evaluation of the univariate function f is furthercharacterised in that, when the image of the function f is the realinterval J = [y_(min), y_(max)),

-   the homomorphic encryption algorithm E′ is given by an LWE-type    encryption algorithm applied to the torus T = ℝ/ℤ and has as a    native space of the cleartexts M′ = T,-   the encoding function encode′ is encode′: [ymin, ymax) →T,y ↦    encode′-   $(y) = \frac{y - y_{\min}}{y_{\max} - y_{\min}}.$

The encoding should be taken into account during the addition of theciphertexts. If we denote encode the encoding function of a homomorphicencoding algorithm E, we then have E (µ₁ + µ₂) = E(µ₁) + E(µ₂) with µ₁ =encode(x₁) and µ₂ = encode(x2). If the encoding function is homomorphic,then we actually have E(encode(x₁ + x₂)) = E(encode(x₁)) +E(encode(x₂)). Otherwise, if the encoding function does not comply withthe addition, a correction ε should be applied on the encoding: ε =encode(x₁ + x₂) - encode(x₁) -encode(x₂) so that E(encode(x₁ + x₂)) =E(encode(x₁)) + E(encode(x₂)) + E(ε). In particular, when the encodingis defined by encode:

$ x\mapsto\frac{N - 1}{2M}\frac{x - x_{\min}}{x_{\max} - x_{\min}}, $

the correction amounts to

$\varepsilon = \frac{N - 1}{2M}\frac{x_{\min}}{x_{\max} - x_{\min}}$

and is zero for x_(min) = 0. It should be recalled that for an LWE-typeencryption scheme, an uplet in the form (0, ..., 0, ε) is a validciphertext of ε.

Of course, the previous considerations remain valid on the images. For ahomomorphic encryption algorithm E′ with an encoding function encode′,we have E′(encode′(f(x₁) + f(x₂))) = E′(encode′(f(x₁))) +E′(encode′(f(x₂))) + E′(ε′) for a correction ε′ = encode′(f(x₁) +f(x₂)) - encode′(f(x₁)) - encode′(f(x₂)). In particular, the correctionε′ is zero when the encoding encode’ complies with the addition. Thecorrection ε′ amounts to

$\varepsilon^{\prime} = \frac{y_{\min}}{y_{\max} - y_{\min}}$

for the encoding encode′:

$ y\mapsto\frac{y - y_{\min}}{y_{\max} - y_{\min}}. $

Another important particular case is when the same univariate function fshould be homomorphically evaluated on inputs x₁ and x₂ = x₁ + A for agiven constant A. A typical example of application is the internalfunction ψ in Sprecher’s application described hereinabove. For ahomomorphic encryption algorithm E with an encoding function encode,given the fact that E(encode(x₁)), it is possible to deduceE(encode(x2)) = E(encode(x₁ + A)) and then obtain E′(encode′(f(x₁))) andE′(encode′(f(x₂))) as explained before. However, it is necessary torepeat all the steps. In the particular case where E is an LWE-typealgorithm on the torus and that M = 2N, at the input E(encode(x₁)), wehave seen that in return of the first substep of the homomorphicevaluation of the table T, we obtain an RLWE-type ciphertext d′ of theexpected polynomial X^(-ĩ) ¹ · q(X) where the polynomial q tabulates thefunction f and where ĩ₁ has as an expected value i₁ =discretise(encode(x₁)) if x₁ belongs to the sub-interval R_(i1) . Forexample, for the discretisation function discretise: t ↦ t̅ = M × t(modM) with M = 2N, we obtain

$\begin{matrix}{i_{2}\quad: = \text{discretise}( {\text{encode}( x_{2} )} ) = \text{discretise}( {\text{encode}( {x_{1} + A} )} )} \\{= \text{discretise}( {\text{encode}( x_{1} ) + \text{encode}(A) + \varepsilon} )} \\{= \lceil {2N \times ( {\text{encode}( x_{1} ) + \text{encode}(A) + \varepsilon} )} \rceil{mod}2N} \\{\approx i_{1} + \overline{\mu_{A}}( {{mod}2N} )\mspace{6mu}\text{with}\mspace{6mu}\overline{\mu_{A}}: = \lceil {2N \times \text{encode}(A) + \varepsilon} \rceil}\end{matrix}$

and therefore X^(-ĩ) ² · q(X) ≈ X^(-ĩ1-µ̅̅) ^(A̅) · q(X) = X^(-µ̅) ^(A̅) ·(X^(-ĩ) ¹ · q(X)). In this case, an RLWE-type ciphertext of the expectedpolynomial X^(-ĩ) ² · q(X) can be obtained more rapidly like X^(-µ̅) ^(A)· d′. A value for E′(encode′(f(x₂))^(~)) is therefore deduced by thesecond substep of the homomorphic evaluation of the table T.

The invention also covers an information processing system that isspecifically programmed to implement a homomorphic cryptographicevaluation method according to either one of the alternative methodsdescribed hereinabove.

Also, it covers the computer program product that is specificallydesigned to implement either one of the alternative methods describedhereinabove and to be loaded and implemented by an informationprocessing system programmed for this purpose.

Application Examples of the Invention

The above-described invention can be very advantageously used topreserve the confidentiality of some data, for example yet notexclusively personal, health, classified information data or moregenerally all data that its holder wishes to keep secret but on which hewould wish that a third-party can perform digital processing. Thedelocalisation of the processing to one or more third-party serviceprovider(s) is interesting from several reasons: it allows performingoperations that otherwise require some costly or unavailable resources;it also allows performing non-public operations. In turn, thethird-party responsible for carrying out said digital processingoperations might, indeed, wish not to communicate the actual content ofthe processing and the digital functions implemented thereby.

In such a use, the invention covers the implementation of a remotedigital service, such as in particular a cloud computing service inwhich a third-party service provider responsible for the application ofthe digital processing on the encrypted data, carries out, on its part,a first precalculation step described hereinabove, which consists, foreach multivariate function f_(j) among the functions f₁, ..., f_(q)which will be used to process the encrypted data, in pre-calculating anetwork of univariate functions. Among all of the resulting univariatefunctions ({g_(k)(z_(ik) ))_(k) for a given z_(ik) with k ≥ 1), thethird-party pre-selects in a second step univariate functions g_(k) andtheir respective argument z_(ik) such that there is k′ < k meeting oneof the three criteria (i) g_(k) = g_(k′), and z_(ik) = z_(ik′) , (ii)g_(k) ≠ g_(k′) and z_(ik) = z_(ik′) , or (iii) g_(k) = g_(k′) and z_(ik)= z_(ik′) + a_(k) for a known constant a_(k) ≠ 0; these univariatefunctions will, where appropriate, be evaluated in an optimised manner.

In turn, the holder of the confidential data (x₁, ..., x_(p)) carriesout the encryption thereof by a homomorphic encryption algorithm E so asto transmit to the third-party type data E(µ₁), ..., E(µ_(p)), whereµ_(i) is the encoded value of x_(i) by an encoding function. Typically,the choice of the algorithm E is imposed by the third-party provider ofthe service. Alternatively, the holder of data can use an encryptionalgorithm of his choice, not necessarily homomorphic, in which case aprior step of re-encryption will be performed by the third-party (oranother service provider) to obtain the encrypted data in the desiredformat.

Thus, in one of the embodiments of the invention, thepreviously-described homomorphic evaluation cryptographic method(s) ischaracterised in that the input encrypted data are derived from a priorre-encryption step to be set in the form of ciphertexts of encryptionsof said homomorphic encryption algorithm E.

Once the third-party has obtained the encrypted type data E(µ_(i)), atthe step of homomorphic evaluation of the network of univariatefunctions, it homomorphically evaluates in a series of successive stepsbased on these ciphertexts each of the networks of univariate functions,so as to obtain the ciphertexts of encryptions of ƒ_(j) applied to theirinputs (for 1 ≤ j ≤ q) under the encryption algorithm E′.

Once it has obtained, for the considered different function(s) ƒ_(j) theencrypted results of the encryptions on their input values, theconcerned third-party sends all these results back to the holder of theconfidential data.

The holder of the confidential data can then obtain, based on thecorresponding decryption key held thereby, after decoding, a value ofthe result of one or more function(s) (ƒ₁, ...,ƒ_(q)) starting fromhomomorphically encrypted input data (x₁, ..., x_(p)), without thethird-party having carried out on said data the digital processingconsisting in the implementation of one or more function(s), having beenable to know the clear content of the data nor, reciprocally, the holderof the data having had to know the detail of the implementedfunction(s).

Such a sharing of tasks between the holder of the data and thethird-party acting as a digital processing service provider canadvantageously be carried out remotely, and in particular throughoutcloud computing type services without affecting the security of the dataand of the concerned processing. Moreover, the different steps of thedigital processing may be the responsibility of different serviceproviders.

Thus, in one of the embodiments of the invention, a cloud computing typeremote service implements one or more of the previously-describedhomomorphic evaluation cryptographic methods, wherein the tasks areshared between the holder of the data and the third-part(y/ies) actingas digital processing service providers.

In a particular embodiment of the invention, this remote serviceinvolving the holder of the data x₁, ..., x_(p) that he wishes to keepsecret and one or more third-part(y/ies) responsible for the applicationof the digital processing on said data, is further characterised in that

-   1. the concerned third-part(y/ies) carry out, according to the    invention, the first step of pre-calculating networks of univariate    functions and the second pre-selection step-   2. the holder of the data carries out the encryption of x₁, ...,    x_(p) by a homomorphic encryption algorithm E, and transmits to the    third-party type data E(µ₁), ..., E(µ_(p)), where µ_(i) is the    encoded value of x_(i) by an encoding function-   3. once the concerned third-party has obtained the encrypted type    data E(µ_(i)), he homomorphically evaluates in a series of    successive steps based on these ciphertexts each of said networks of    univariate functions, so as to obtain the ciphertexts of encryptions    of ƒ_(j) applied to their inputs (for 1 ≤ j ≤ q) under the    encryption algorithm E′-   4. once he has obtained, for the considered different function(s)    ƒ_(j) the encrypted results of the encryptions on their input    values, the concerned third-party sends all these results back to    the holder of the data-   5. the holder of the data obtains, based on the corresponding    decryption key held thereby, after decoding, a value of the result    of one or more function(s) (ƒ_(1,) ..., ƒ_(q))·

A variant of this embodiment is characterised in that, in the secondstep (2.) hereinabove:

-   the holder of the data carries out the encryption of x₁, ..., x_(p)    by an encryption algorithm different from E and transmits said data    thus encrypted.-   on said received encrypted data, the concerned third-party performs    a re-encryption to obtain the ciphertexts E(µ₁), ..., E(µ_(p)) under    said homomorphic encryption algorithm E, where µ_(i) is the encoded    value of x_(i) by an encoding function.

Different applications of the remote digital service according to theinvention may be mentioned, inter alia. Thus, it is already known, asmentioned in the aforementioned article by MajecSTIC ‘08, aKolmogorov-type decomposition applied to grey-level images - which maybe viewed as bivariate functions ƒ(x, y) = I(x, y) where I(x, y) givesthe grey intensity of the pixel of coordinates (x, y) - allowsreconstructing an approximate image of the original image. Consequently,the knowledge of coordinates (x_(1,)y₁) and (x_(2,)y₂) defining abounding box allows performing cropping operations in a simple way. Asimilar processing applies on colour images while considering thebivariate functions ƒ₁(x,y) = R(x,y), ƒ₂(x,y) = G(x,y) and ƒ₃(x,y) =B(x,y) giving the red, green and blue levels respectively. While thisprocessing type has been known on unencrypted data, the invention nowallows carrying out it using homomorphic encryption. Thus, according tothe invention, if a user sends in an encrypted manner his GPScoordinates recorded at regular intervals (for example every 10 seconds)during a sport activity as well as the extreme coordinates of hisjourney (defining a bounding box), the service provider in possession ofthe image of a cartographic plan will be able to obtain the ciphertextof the portion of the plan relating to the activity by cropping;furthermore, he will be able, still in the encrypted domain, torepresent the journey using for example a colour code to indicate thelocal speed homomorphically computed based on the received encryptedimages of the GPS coordinates. Advantageously, the (third-party) serviceprovider has no knowledge of the exact location of the activity (exceptthat it is on his plan) or of the performances of the user. Furthermore,the third-party does not disclose the entirety of the map. The inventioncan also be advantageously used to allow performing artificialintelligence processing, in particular of machine-learning type on inputdata which remain encrypted and on which the service providerimplementing in particular a neural network applies one or moreactivation function(s) on values derived from said encrypted data. Asexample of this use of the invention in connection with theimplementation of a neural network, reference may be made to thedecomposition of the function g(z₁,z₂) = max(z₁,z₂), which serves inparticular as the aforementioned “max pooling” used by the neuralnetworks, into z₂ + (z₁ - z₂)⁺ where z ↦ z⁺ corresponds to theunivariate function z ↦ max(z, 0). Reference may also be made to thevery popular activation functions ReLU: ℝ → ℝ⁺, t ↦ t⁺ and sigmoid:

$ {\mathbb{R}}arrow\lbrack 0,1\rbrack,t\mapsto\frac{1}{1 + \exp( - t)}. $

Thus, in one of the embodiments of the invention, a remote serviceimplementing one or more of the previously-described cryptographichomomorphic evaluation methods is intended for digital processingimplementing neural networks.

Disclosure of the Invention as it is Characterised

The invention enables the evaluation, on encrypted data, of one or morefunction(s) through the implementation of the data calculation andprocessing capabilities of one or more digital information processingsystem(s). Depending on the case, this or these function(s) may beunivariate or multivariate. Hence, in its different variants, the methodaccording to the invention allows proceeding with the evaluation of bothtypes of functions.

When the function(s) to be evaluated are of the multivariate type, theinvention provides first of all for carrying out two preliminary steps:the first is a pre-calculation one, followed by a second pre-selectionstep before applying on the network(s) of univariate functions obtainedupon completion of the execution of these two preliminary steps a thirdstep of homomorphic evaluation of said networks of univariate functionsaccording to any known method for homomorphic evaluation of univariatefunctions. This is the object of claim 1.

Several variants of said method are disclosed in claims 2 to 5,depending on whether the initial pre-calculation step could implementdifferent mathematical techniques described hereinabove: theKolmogorov-type decomposition of one of its algorithmic variants such asthat one proposed by Sprecher (in claim 5), resorting to a sum ofparticular multivariate functions called ridge functions (in claims 2and 4) or else through the use of so-called radial functions (in claims3 and 4). In some particular cases, the invention also provides for theadvantageous possibility of using none of these three aforementionedvariants but simply proceeding with a formal decomposition usingdifferent formal equivalences (such as those claimed in each of claims 6to 10).

In the case where the function(s) to be evaluated are of the univariatetype, the invention provides, in one of its implementations, for theimplementation respectively at the input and at the output of twohomomorphic encryption algorithms and the step of pre-calculating atable for each considered function followed by a step of homomorphicevaluation of the table thus obtained, as claimed by claim 11.Advantageously, this modality of homomorphic evaluation of one or moreunivariate function(s) may also be implemented to perform the thirdhomomorphic evaluation step provided for upon completion of thepre-calculation and pre-selection steps which have been appliedbeforehand to one or more multivariate function(s), according to claim1.

Claim 11 covers two variants of such a combination, including when theinitial pre-calculation phase uses an approximate transformation (ascharacterised in claims 2 to 5) or a transformation based on a formalequivalence (as characterised in claims 6 to 10).

1. A cryptographic method executed in a digital form by at least oneinformation processing system specifically programmed to perform theevaluation of one or more multivariate real-valued function(s) f₁, ...,f_(q), each of the functions taking as input a plurality of real-valuedvariables from among the variables x₁,...,x_(p), and at least one ofsaid functions taking as input at least two variables, taking as inputthe ciphertexts of the encryptions of each of the inputs x_(i),E(encode(xi)) with 1 ≤ i ≤ p, and returning the plurality of ciphertextsof encryptions of f₁, ..., f_(q) applied at their respective inputs,where E is a homomorphic encryption algorithm and encode is an encodingfunction which associates to each of the reals x_(i) an element of thenative space of cleartexts of E, wherein: a. a pre-calculation stepconsisting in transforming each of said multivariate functions into anetwork of univariate functions, consisting of compositions ofunivariate functions with real value and sums, b. a pre-selection stepconsisting in identifying in said networks of pre-calculated univariatefunctions the redundancies of one of the three types: the sameunivariate functions applied to the same arguments, different univariatefunctions applied to the same arguments, the same univariate functionsapplied to arguments differing by a non-zero additive constant andselecting all or part thereof c. a step of homomorphic evaluation ofeach of the networks of pre-calculated univariate functions, whereinwhen all or part of one or more of these univariate functions is reusedthe redundancies selected in the pre-selection step are evaluated in ashared manner.
 2. The cryptographic method according to claim 1, whereinfor at least one function f_(j) from among f₁, ...,f_(q), thetransformation of the pre-calculation step is an approximatetransformation in the form$f_{j}( {x_{j_{1}},\,\ldots\mspace{6mu},x_{j_{t}}} ) \approx {\sum_{k = 0}^{K}g_{k}}( {\sum_{i = 1}^{t}{a_{i,k}\mspace{6mu} x_{j_{i}}}} )$with t ≤ p and j ₁, ..., j_(t) ∈ {1, ..., p}, and where the coefficientsa_(i,k) are real numbers and where the g_(k) are univariate functionsdefined on reals and with real value, said functions g_(k) and saidcoefficients a_(i,k) being determined as a function of f_(j), for agiven parameter K.
 3. The cryptographic method according to claim 1,wherein for at least one function f_(j) from among f₁, ...,f_(q), thetransformation of the pre-calculation step is an approximatetransformation in the form$f_{j}( {x_{j_{1}},\mspace{6mu}\ldots\mspace{6mu},\mspace{6mu} x_{j_{t}}} ) \approx {\sum_{k = 0}^{K}g_{k}}( \| {\text{x} - \text{a}_{\text{k}}} \| )$with x = (x _(j1), ..., x_(jt)), a_(k) = (a_(1,k), ..., a_(t,k)), t ≤ pand j₁, ..., j_(t) ∈ {1, ..., p}, and where the vectors a_(k) have ascoefficients a_(i,k) real numbers and where the g_(k) are univariatefunctions defined on reals and with real value, said functions g_(k) andsaid coefficients a_(i,k) being determined as a function of f_(j), for agiven parameter K and a given norm ||·||.
 4. The cryptographic methodaccording to claim 2, wherein the coefficients a_(i,k) are fixed.
 5. Thecryptographic method according to claim 1, wherein for at least onefunction f_(j) from among f₁, ...,f_(q), the transformation of thepre-calculation step is an approximate transformation in the form$f_{j}( {x_{j_{1}},\mspace{6mu}\ldots\mspace{6mu},x_{j_{t}}} ) \approx {\sum_{k = 0}^{K}g_{k}}( {\sum_{i = 1}^{t}{\lambda_{j_{i}}\Psi( {x_{j_{i}} +} )}} )$ka)) with t ≤ p and j ₁, ..., j_(t) ∈ {1, ..., p}, and where Ψ is aunivariate function defined on reals and with real value, where theλ_(ji) are real constants and where the g_(k) are univariate functionsdefined on reals and with real value, said functions g_(k) beingdetermined as a function of f_(j), for a given parameter K.
 6. Thecryptographic method according to claim 1, wherein the transformation ofthe pre-calculation step uses the formal equivalence max(z₁, z₂) = z₂ +(z₁ - z₂)⁺ to express the function (z₁,z₂) ↦ max(z₁,z₂) as a combinationof sums and compositions of univariate functions.
 7. The cryptographicmethod according to claim 1, wherein the transformation of thepre-calculation step uses the formal equivalence min(z₁, z₂) = z₂ +(z₁ - z₂)⁻ to express the function (z₁,z₂) ↦ min(z₁,z₂) as a combinationof sums and compositions of univariate functions.
 8. The cryptographicmethod according to claim 1, wherein the transformation of thepre-calculation step uses the formal equivalence z₁ × z₂ = (z₁ +z₂)²/4 - (z₁ - z₂)²/4 to express the function (z₁, z₂) ↦ z₁ × z₂ as acombination of sums and compositions of univariate functions.
 9. Thecryptographic method according to claim 1, wherein the transformation ofthe pre-calculation step uses the formal equivalence |z₁ × z₂| = exp(In|z₁| + In |z₂|) to express the function (z₁,z₂) ↦ |z₁ × z₂| as acombination of sums and compositions of univariate functions.
 10. Thecryptographic method according to one of claim 6, wherein the formalequivalence is obtained from the iteration of the formal equivalence fortwo variables, for said function when the latter includes threevariables or more.
 11. The cryptographic method according to claim 1,including in the step of homomorphic evaluation of at least one of thepre-calculated networks of univariate functions, a sub-process forapproximate homomorphic evaluation of at least one of said univariatefunctions f of a real-valued variable x with an arbitrary accuracy in adomain of definition D and with real value in an image J, taking asinput the ciphertext of an encryption of x, E(encode(x)), and returningthe ciphertext of an encryption of an approximate value of f (x),E′(encode′(y)) with y ≈ f (x), where E and E′ are homomorphic encryptionalgorithms the respective native space of cleartexts of which is M andM′, said sub-method being parameterised by: an integer N ≥ 1 quantifyingthe actual accuracy of the representation of the variables at the inputof the function f to be evaluated, an encoding function encode taking asinput an element of the domain D and associating thereto an element ofM, an encoding function encode’ taking as input an element of the imageJ and associating thereto an element of M′, a discretisation functiondiscretise taking as input an element of M and associating thereto anindex represented by an integer, a homomorphic encryption scheme havingan encryption algorithm ε_(H) the native space of the cleartexts ofwhich M_(H) has a cardinality of at least N, an encoding functionencode_(H) taking as input an integer and returning an element of M_(H),so that the image of the domain D by the encoding encode followed by thediscretisation discretise, (discretise ◦ encode)(D), is a set of at mostN indices selected from S = {0, ...,N -1}, and characterised by: a. astep of pre-calculating a table corresponding to said univariatefunction f, consisting in decomposing the domain D into N selectedsub-intervals R₀, ..., R_(N-1) whose union makes up D for each index iin S = {0, ...,N - 1}, determining a representative x(i) in thesub-interval R_(i) and calculating the value y(i) = f (x(i)) returningthe table T consisting of the N components T[0], ...,T[N - 1], with T[i]= y(i) for 0 ≤ i ≤ N - 1 b. a step of homomorphic evaluation of thetable consisting in converting the ciphertext E(encode(x)) into theciphertext ε_(H)(encode_(H)(ĩ)) for an integer ĩ having as an expectedvalue the index i = (discretise ◦ encode)(x) in the set S = {0, ...,N -1} if x ∈ R_(i) obtaining the ciphertext E′(encode′(T[ĩ])^(~)) for anelement encode′(T[ĩ])^(~) having as an expected value encode′(T[ĩ]),based on the ciphertext ε_(H)(encode_(H)(ĩ)) and the table T returningE′(encode′(T[ĩ])^(~)).
 12. The cryptographic method according to claim11, wherein the domain of definition of the function f to be evaluatedis given by the real interval D = [x_(min), x_(max)), the N intervalsR_(i) (for 0 ≤ i ≤ N - 1) covering the domain D are the semi-opensub-intervals$R_{i} = \lbrack {\frac{i}{N}( {x_{\max} - x_{\min}} ) +} )$$( {x_{\min},\frac{i + 1}{N}( {x_{\max} - x_{\min}} ) + x_{\min}} ),$splitting D in a regular manner.
 13. The cryptographic method accordingto claim 11, wherein the set S is a subset of the additive group ℤ_(M)for an integer M ≥ N.
 14. The cryptographic method according to claim13, wherein the group ℤ_(M) is represented in a multiplicative manner asthe powers of a M-th primitive root of the unit denoted X, so that tothe element i of ℤ_(M) is associated the element X^(i); all of the M-throots of the unit {1, X, ..., X^(M-1)} forming a group isomorphic withℤ_(m) for the multiplication modulo (X^(M) - 1).
 15. The cryptographicmethod claim 11, wherein the homomorphic encryption algorithm E is givenby an LWE-type encryption algorithm applied to the torus

= ℝ/ℤ and has as a native space of the cleartexts M =

.
 16. The cryptographic method according to claim 15, parameterised byan integer M ≥ N wherein the encoding function encode has its imagecontained in the sub-interval$\lbrack {0,\frac{N}{M} - \frac{1}{2M}} )$ of the torus, andthe discretisation function discretise applies an element t of the torusto the rounded integer of the product M × t modulo M, where M × t iscalculated in ℝ; in mathematical form: discretise:

→ ℤ, t ↦ discretise(t) = [M × t] mod M.
 17. The cryptographic methodaccording to claim 16, wherein when the domain of definition of thefunction f is the real interval D = [x_(min), x_(max)), the encodingfunction encode is encode:$ \lbrack {x_{\min},x_{\max}} )arrow\lbrack {0,\frac{N}{M} - \frac{1}{2M}} ), $$ x\mapsto\mspace{6mu}\text{encode}(x) = \frac{2N - 1}{2M}\frac{x - x_{\min}}{x_{\max} - x_{\min}}. $.
 18. The cryptographic method according to claim 15, wherein thehomomorphic encryption algorithm ε_(H) is an LWE-type encryptionalgorithm and the encoding function encode_(H) is the identity function.19. The cryptographic method according to claim 15, parameterised by aneven integer M and wherein the homomorphic encryption algorithm ε_(H) isan RLWE-type encryption algorithm and the encoding function encode_(H)is the function encode_(H) : ℤ_(M) →T_(M/2)[X], i ↦ encode_(H)(i) =X^(-i) · p(X) for an arbitrary polynomial p of T_(M/2)[X].
 20. Thecryptographic method according to claim 18, parameterised by an eveninteger M equal to 2N, and wherein an LWE-type ciphertextE′(encode′(T[ĩ])) on the torus is extracted from an RLWE ciphertextapproaching the polynomial X^(-ĩ) · q(X) ∈ T_(N)[X], with q(X) = T′[0] +T′[1]X + ··· + T′[N - 1]X^(N-1) =$\sum_{j = 0}^{N - 1}{T^{\prime}\lbrack j\rbrack X^{j}}$ inT _(N)[X] andwhere T′[j] = encode′(T[j]), 0 ≤ j ≤ N -1.
 21. The cryptographic methodaccording to claim 11, wherein, when the image of said at least onefunction f is the real interval J = [y_(min),y_(max)), the homomorphicencryption algorithm E′ is given by an LWE-type encryption algorithmapplied to the torus

= ℝ/ℤ and has as a native space of the cleartexts M′ =

the encoding function encode′ is$ \text{encod}\text{e}^{\prime}\mspace{6mu}\text{:}\mspace{6mu}\lbrack {y_{\min},y_{\max}} )arrow\mathbb{T},y\mapsto\text{encod}\text{e}^{\prime}(y) = \frac{y - y_{\min}}{y_{\max} - y_{\min}}. $.
 22. The cryptographic method according to claim 1, wherein the inputencrypted data are derived from a prior re-encryption step so as to beset in the form of ciphertexts of encryptions of said homomorphicencryption algorithm E.
 23. An information processing system wherein itis programmed to implement a homomorphic evaluation cryptographic methodaccording to claim
 1. 24. A computer program intended to be loaded andimplemented by an information processing system according to claim 23.25. A cloud computing type remote service implementing a cryptographicmethod according to claim 1 wherein the tasks are shared between a dataholder and one or more third-parties acting as digital processingservice providers.
 26. The remote service according to claim 25involving the holder of the data x₁, ...,x_(p) who wishes to keep themsecret and one or more third-parties responsible for the application ofthe digital processing on said data, characterised in that a. theconcerned third-part(y/ies) carry out,,the first step of pre-calculatingnetworks of univariate functions and the second pre-selection step b.starting from the data x₁, ..., x_(p) held by the holder of the data arecalculated type data E(µ₁), ..., E(µ_(p)), where E is a homomorphicencryption algorithm and where µ_(i) is the encoded value of x_(i) by anencoding function c. once the concerned third-party has obtained theencrypted type data E(µ_(i)), he homomorphically evaluates in a seriesof successive steps based on these ciphertexts each of said networks ofunivariate functions, so as to obtain the ciphertexts of encryptions off_(j) applied to their inputs (for 1 ≤ j ≤ q) under the encryptionalgorithm d. once he has obtained, for the considered differentfunction(s) f_(j) the encrypted results of the encryptions on theirinput values, the concerned third-party sends all these results back tothe holder of the data e. the holder of the data obtains, based on thecorresponding decryption key held thereby, after decoding, a value ofthe result of one or more function(s) (f₁, ...,f_(q)).
 27. The remoteservice according to claim 26, wherein in the second step denoted (b) insaid claim, the holder of the data carries out the encryption of x₁,..., x_(p) by a homomorphic encryption algorithm E, and transmits typedata E(µ₁), ..., E (µ_(p)) to the third-party, where µ_(i) is theencoded value of x_(i) by an encoding function.
 28. The remote serviceaccording to claim 26, wherein in the second step denoted (b) in saidclaim the holder of the data carries out the encryption of x₁, ...,x_(p) by an encryption algorithm different from E and transmits saiddata thus encrypted. on said received encrypted data, the concernedthird-party performs a re-encryption to obtain the ciphertexts E(p₁),..., E(µ_(p)) under said homomorphic encryption algorithm E, where µ_(i)is the encoded value of x_(i) by an encoding function.
 29. The remoteservice according to claim 25 intended for digital processingimplementing neural networks.